Looking for a guide to collect all e-mail from the ISP mail server
Hi all:
I am evaluating mail server solutions for a small business. The trouble is, I am only a part-time admin and a newbie to mail servers.
Most guides I have seen are rather unrealistic: they encourage you to expose your e-mail server to the Internet, and hope that you have the resources to keep it patched up.
I would rather have an internal mail server that collects e-mails from a standard ISP mail server. It is like the old "POP3 Connector" that came with Microsoft Exchange. Sometimes, there is a mailbox per user on the ISP, and a corresponding one on the local server. Other times, there is a single "catch all" or "multidrop" mailbox on the ISP.
Users can still access their internal mailboxes from outside through an OpenVPN connection. The goal is that only VPN, and perhaps SSH, are accessible from the outside. We do not need to arrange any special SMTP configuration with the ISP either.
This kind of mail server setup is rather different to the standard configuration. You do not normally need you own antivirus and spam filter, and you do not need to configure SSL certificates, MX or SPF DNS records. Most ISP handle that correctly and economically. Internal e-mail does not leave your LAN, and your internal SMTP server is just a relay for the external ISP SMTP server.
Furthermore, most guides do not explain how to setup an autoresponder ("I am on holiday until xxx") so that users can enable theirs with the mouse. Editing configuration files over SSH is not really an option for normal users. This detail is important because it could be the only thing I need above standard e-mail. Further groupware features can be seen as nice but ultimately unnecessary luxury, and a basic shared calendar can be accomplished with a separate server like https://radicale.org/ and a calendar client like one built into Thunderbird. Hopefully, that is all I would need for a small business.
Can anyone point me to the kind of guide I need? Failing that, I would need information or examples about using fetchmail, getmail or similar software with Dovecot. Good or bad experiences from you guys would also help.
Each of those tools has a detailed man page, but there are many options and ways with different advantages and disadvantages. I would need a simpler guide to get started.
I am aware that there are pre-packaged mail server solutions that would perhaps bring an easy-to-use autoresponder, but I haven't seen one yet that where you could tick a box like "this server is only internal and collects mail from the ISP server" during installation. Nor have I seen instructions about reconfiguring the mail server for my ISP mail scenario.
I am prepared to learn more and write my own Perl scripts and/or installation guide, but it would be stupid to waste time if something easy already exists. After all, the setup I am describing (external ISP mail server + internal mail server) is not so weird.
Thanks in advance, rdiez
Maybe get something like Zimbra, such solutions also have support that you can buy when you need it or don't have time (I guess).
-----Original Message----- From: R. Diez [mailto:rdiezmail-2006@yahoo.de] Sent: Sunday, October 25, 2020 6:57 PM To: dovecot@dovecot.org Subject: Looking for a guide to collect all e-mail from the ISP mail server
Hi all:
I am evaluating mail server solutions for a small business. The trouble is, I am only a part-time admin and a newbie to mail servers.
Most guides I have seen are rather unrealistic: they encourage you to expose your e-mail server to the Internet, and hope that you have the resources to keep it patched up.
I would rather have an internal mail server that collects e-mails from a standard ISP mail server. It is like the old "POP3 Connector" that came with Microsoft Exchange. Sometimes, there is a mailbox per user on the ISP, and a corresponding one on the local server. Other times, there is a single "catch all" or "multidrop" mailbox on the ISP.
Users can still access their internal mailboxes from outside through an OpenVPN connection. The goal is that only VPN, and perhaps SSH, are accessible from the outside. We do not need to arrange any special SMTP configuration with the ISP either.
This kind of mail server setup is rather different to the standard configuration. You do not normally need you own antivirus and spam filter, and you do not need to configure SSL certificates, MX or SPF DNS records. Most ISP handle that correctly and economically. Internal e-mail does not leave your LAN, and your internal SMTP server is just a relay for the external ISP SMTP server.
Furthermore, most guides do not explain how to setup an autoresponder ("I am on holiday until xxx") so that users can enable theirs with the mouse. Editing configuration files over SSH is not really an option for normal users. This detail is important because it could be the only thing I need above standard e-mail. Further groupware features can be seen as nice but ultimately unnecessary luxury, and a basic shared calendar can be accomplished with a separate server like https://radicale.org/ and a calendar client like one built into Thunderbird. Hopefully, that is all I would need for a small business.
Can anyone point me to the kind of guide I need? Failing that, I would need information or examples about using fetchmail, getmail or similar software with Dovecot. Good or bad experiences from you guys would also help.
Each of those tools has a detailed man page, but there are many options and ways with different advantages and disadvantages. I would need a simpler guide to get started.
I am aware that there are pre-packaged mail server solutions that would perhaps bring an easy-to-use autoresponder, but I haven't seen one yet that where you could tick a box like "this server is only internal and collects mail from the ISP server" during installation. Nor have I seen instructions about reconfiguring the mail server for my ISP mail scenario.
I am prepared to learn more and write my own Perl scripts and/or installation guide, but it would be stupid to waste time if something easy already exists. After all, the setup I am describing (external ISP mail server
- internal mail server) is not so weird.
Thanks in advance, rdiez
Am 25.10.20 um 21:01 schrieb Marc Roos:
Maybe get something like Zimbra, such solutions also have support that you can buy when you need it or don't have time (I guess).
-----Original Message----- From: R. Diez [mailto:rdiezmail-2006@yahoo.de] Sent: Sunday, October 25, 2020 6:57 PM To: dovecot@dovecot.org Subject: Looking for a guide to collect all e-mail from the ISP mail server
Hi all:
I am evaluating mail server solutions for a small business. The trouble is, I am only a part-time admin and a newbie to mail servers.
Most guides I have seen are rather unrealistic: they encourage you to expose your e-mail server to the Internet, and hope that you have the resources to keep it patched up.
I would rather have an internal mail server that collects e-mails from a standard ISP mail server. It is like the old "POP3 Connector" that came with Microsoft Exchange. Sometimes, there is a mailbox per user on the ISP, and a corresponding one on the local server. Other times, there is a single "catch all" or "multidrop" mailbox on the ISP.
Users can still access their internal mailboxes from outside through an OpenVPN connection. The goal is that only VPN, and perhaps SSH, are accessible from the outside. We do not need to arrange any special SMTP configuration with the ISP either.
This kind of mail server setup is rather different to the standard configuration. You do not normally need you own antivirus and spam filter, and you do not need to configure SSL certificates, MX or SPF DNS records. Most ISP handle that correctly and economically. Internal e-mail does not leave your LAN, and your internal SMTP server is just a relay for the external ISP SMTP server.
Furthermore, most guides do not explain how to setup an autoresponder ("I am on holiday until xxx") so that users can enable theirs with the mouse. Editing configuration files over SSH is not really an option for normal users. This detail is important because it could be the only thing I need above standard e-mail. Further groupware features can be seen as nice but ultimately unnecessary luxury, and a basic shared calendar can be accomplished with a separate server like https://radicale.org/ and a calendar client like one built into Thunderbird. Hopefully, that is all I would need for a small business.
Can anyone point me to the kind of guide I need? Failing that, I would need information or examples about using fetchmail, getmail or similar software with Dovecot. Good or bad experiences from you guys would also help.
Each of those tools has a detailed man page, but there are many options and ways with different advantages and disadvantages. I would need a simpler guide to get started.
I am aware that there are pre-packaged mail server solutions that would perhaps bring an easy-to-use autoresponder, but I haven't seen one yet that where you could tick a box like "this server is only internal and collects mail from the ISP server" during installation. Nor have I seen instructions about reconfiguring the mail server for my ISP mail scenario.
I am prepared to learn more and write my own Perl scripts and/or installation guide, but it would be stupid to waste time if something easy already exists. After all, the setup I am describing (external ISP mail server
- internal mail server) is not so weird.
Thanks in advance, rdiez
see https://blog.sys4.de/abholdienst-fur-mail-de.html
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Am 26.10.20 um 21:55 schrieb Robert Schetterer:
OP considers his/her ISPs spam/antivirus filter adequat. Doing such on his/her own burdens the setup with quite some maintainance. Perhaps though, getmail trumps fetchmail, I don't now.
-- peter
Hello R,
Your goal does not sound weird. The most painless way might be to fetch incoming messages from the ISP's IMAP and deliver them to your local dovecot. A shortened fetchmailrc would read:
poll remote.server … user …, password … folder 'INBOX' fetchall idle ssl mda "HOME=%T /usr/bin/sudo -u %T /usr/lib/dovecot/deliver"
That way your users can create their vacancies with the ISP portal, the ISP will do availability, antivirus etc. You can even use sieve on delivery. Perhaps fetch "Spam" too, if your ISP files it away.
Beware, you have to somehow keep tabs on remote and local usernames. Passwords will be different. Local updates should be no problem with a reasonable distro, e.g. the dovecot public repo.
Happy becoming a mail server admin!
Peter
Am 25.10.20 um 18:56 schrieb R. Diez:
Hi all:
I am evaluating mail server solutions for a small business. The trouble is, I am only a part-time admin and a newbie to mail servers.
Most guides I have seen are rather unrealistic: they encourage you to expose your e-mail server to the Internet, and hope that you have the resources to keep it patched up.
I would rather have an internal mail server that collects e-mails from a standard ISP mail server. It is like the old "POP3 Connector" that came with Microsoft Exchange. Sometimes, there is a mailbox per user on the ISP, and a corresponding one on the local server. Other times, there is a single "catch all" or "multidrop" mailbox on the ISP.
Users can still access their internal mailboxes from outside through an OpenVPN connection. The goal is that only VPN, and perhaps SSH, are accessible from the outside. We do not need to arrange any special SMTP configuration with the ISP either.
This kind of mail server setup is rather different to the standard configuration. You do not normally need you own antivirus and spam filter, and you do not need to configure SSL certificates, MX or SPF DNS records. Most ISP handle that correctly and economically. Internal e-mail does not leave your LAN, and your internal SMTP server is just a relay for the external ISP SMTP server.
Furthermore, most guides do not explain how to setup an autoresponder ("I am on holiday until xxx") so that users can enable theirs with the mouse. Editing configuration files over SSH is not really an option for normal users. This detail is important because it could be the only thing I need above standard e-mail. Further groupware features can be seen as nice but ultimately unnecessary luxury, and a basic shared calendar can be accomplished with a separate server like https://radicale.org/ and a calendar client like one built into Thunderbird. Hopefully, that is all I would need for a small business.
Can anyone point me to the kind of guide I need? Failing that, I would need information or examples about using fetchmail, getmail or similar software with Dovecot. Good or bad experiences from you guys would also help.
Each of those tools has a detailed man page, but there are many options and ways with different advantages and disadvantages. I would need a simpler guide to get started.
I am aware that there are pre-packaged mail server solutions that would perhaps bring an easy-to-use autoresponder, but I haven't seen one yet that where you could tick a box like "this server is only internal and collects mail from the ISP server" during installation. Nor have I seen instructions about reconfiguring the mail server for my ISP mail scenario.
I am prepared to learn more and write my own Perl scripts and/or installation guide, but it would be stupid to waste time if something easy already exists. After all, the setup I am describing (external ISP mail server + internal mail server) is not so weird.
Thanks in advance, rdiez
Your goal does not sound weird.
OK, thanks for the confirmation.
The most painless way might be to fetch incoming messages from the ISP's IMAP and deliver them to your local dovecot. A shortened fetchmailrc would read:
poll remote.server … user …, password … folder 'INBOX' fetchall idle ssl mda "HOME=%T /usr/bin/sudo -u %T /usr/lib/dovecot/deliver"
Brilliant, thanks for the info.
That way your users can create their vacancies with the ISP portal, [...]
That's a good idea. But then internal e-mails need to go out to the ISP, don't they? Because, if internal e-mails get delivered locally, the vacation autoresponses on the ISP will not trigger, will they?
The trouble is, with that configuration, if the Internet link goes down, internal e-mail stops working too.
I was hoping that there would be a complete mail server setup guide somewhere for this kind of setup. But I guess I'll have to piece all these information snippets together.
Regards, rdiez
Hello R,
reply inline below:
Am 25.10.20 um 23:12 schrieb R. Diez:
That way your users can create their vacancies with the ISP portal, [...]
That's a good idea. But then internal e-mails need to go out to the ISP, don't they? Because, if internal e-mails get delivered locally, the vacation autoresponses on the ISP will not trigger, will they?
The trouble is, with that configuration, if the Internet link goes down, internal e-mail stops working too.
Hello R, I only wrote about the incoming side - of course, you also want to send mail to remote users, and that includes users with an address of …@myisp.com. They will go to the ISP and be fetched to local from there.
And if internet's down, e-mail will stop working anyways, so why bother? Even facebook/whatsupp will stop working then!
With some tinkering, you can configure your local relay smtp to deliver those locally, but if your people do not talk about their vacancies over the water cooler, then they will miss that reminder then.
I was hoping that there would be a complete mail server setup guide somewhere for this kind of setup. But I guess I'll have to piece all these information snippets together.
Sorry, the world is too big :)
-- peter
That way your users can create their vacancies with the ISP portal,
But then internal e-mails need to go out to the ISP, don't they? Because, if internal e-mails get delivered locally, the vacation autoresponses on the ISP will not trigger, will they?
Hello R, I only wrote about the incoming side - of course, you also want to send mail to remote users, and that includes users with an address of …@myisp.com. They will go to the ISP and be fetched to local from there.
That is not what I had in mind. My users will not go to the ISP and fetch their e-mails from there. They will always go to my internal mail server. If a user is on the road, he/she will connect with OpenVPN first.
Of course, immediately receiving new e-mails without a VPN connection would be more comfortable. But that level of comfort needs a real mail server consultant then. 8-)
The trouble is, with that configuration, if the Internet link goes down, internal e-mail stops working too.
And if internet's down, e-mail will stop working anyways, so why bother? Even facebook/whatsupp will stop working then!
I have seen Microsoft Exchange setups that carried on working locally if the Internet connection was down. If Microsoft can do that, I want to have it too. 8-)
Whatsapp (which you shouldn't actually use for confidential business communications) may continue working with your mobile phone data connection.
With some tinkering, you can configure your local relay smtp to deliver those locally, but if your people do not talk about their vacancies over the water cooler, then they will miss that reminder then.
People are not that careless even in small businesses, where there is no water cooler at all. Most of them do set up autoresponders, so that customers know. Small business tend to care about customers more than big ones. The idea is that those autoresponders should also work internally.
I just learnt that you can install a "Managesieve server" plug-in for forwarding and autoresponders. That would be the way to go then, instead of using the autoresponder at the ISP.
Best regards, rdiez
Am 26.10.20 um 11:24 schrieb R. Diez:
Hello R, I only wrote about the incoming side - of course, you also want to send mail to remote users, and that includes users with an address of …@myisp.com. They will go to the ISP and be fetched to local from there.
That is not what I had in mind. My users will not go to the ISP and fetch their e-mails from there. They will always go to my internal mail server. If a user is on the road, he/she will connect with OpenVPN first.
Probably I could have said that better: fetchmail will fetch those mails from the ISP, same as any other mails to someone@your.site - the Inbox at your ISPs will always be empty, your users will only interact with the dovecot instance on premise. There is some inefficiency, the price for a simpler setup.
I have seen Microsoft Exchange setups that carried on working locally if the Internet connection was down. If Microsoft can do that, I want to have it too. 8-)
With some tinkering, you can configure your local relay smtp to deliver those locally,
To be more clear - if you have a local smtpd too (not just dovecot and fetchmail, postfix perhaps), that sits between your users MUA and your ISPs smtpd, you can make it recognise someone@your.site as a "local" account and have those mails delivered locally. You have to set up some mappings though, that replicate the ones in your fetchmailrc.
Start of a HOWTO:
- Install dovecot, create virtual accounts for all of your users
- Install fetchmail, make it pull the ISPs IMAP and deliver locally
- Install postfix as a smart relay and deliver locally to locals
Feel free to fill in the details ;)
-- peter
Start of a HOWTO:
- Install dovecot, create virtual accounts for all of your users
- Install fetchmail, make it pull the ISPs IMAP and deliver locally
- Install postfix as a smart relay and deliver locally to locals
Feel free to fill in the details ;)
And I thought you guys had nothing else to do, sitting here on the mailing list and pretending to have some mail server skills... So, yes, it does look like I'll have to be the one filling in all the details! 8-)
Regards, rdiez
no spam/virus filtering ? Virtual suicide these days :P
On Monday, 26/10/2020 at 16:13 R. Diez wrote:
Start of a HOWTO:
- Install dovecot, create virtual accounts for all of your users
- Install fetchmail, make it pull the ISPs IMAP and deliver locally
- Install postfix as a smart relay and deliver locally to locals
Feel free to fill in the details ;)
And I thought you guys had nothing else to do, sitting here on the mailing list and pretending to have some mail server skills... So, yes, it does look like I'll have to be the one filling in all the details! 8-)
Regards, rdiez
Hello R.,
Sunday, October 25, 2020, 11:12:48 PM, you wrote:
RD> I was hoping that there would be a complete mail server setup RD> guide somewhere for this kind of setup. But I guess I'll have to piece all these RD> information snippets together.
There are plenty of guides available. I don't know your mother tongue, but seeing your last name, I assume you may be speaking German. Take a look at these German language guides:
https://www.it-management-kirchberger.at/manuals-tutorials/server-centos-7/p... https://www.dokuwiki.tachtler.net/doku.php https://dokuwiki.nausch.org/doku.php/centos:mail_c7:spam_6
I am sure others can provide other language guides as well.
best regards
Michael Schumacher
I have used this person's blog for a few operating systems.
https://blog.andreev.it/?p=1975
Poke around for the correct OS. I only set up dovecot and postfix. Keep it simple. You then need opendkim. I think opendkim checks the incoming mail. There is another procedure to sign your mail.
When you think it works, use https://dkimvalidator.com/
Also go to mxtools to verify you haven't created an open relay.
Regarding LetsEncrypt, I use the bash script. https://github.com/acmesh-official/acme.sh This saves you Python headaches.
Original Message
From: michael.schumacher@pamas.de Sent: October 26, 2020 1:09 AM To: rdiezmail-2006@yahoo.de; pch@myzel.net Cc: dovecot@dovecot.org Subject: Re: Looking for a guide to collect all e-mail from the ISP mail server
Hello R.,
Sunday, October 25, 2020, 11:12:48 PM, you wrote:
RD> I was hoping that there would be a complete mail server setup RD> guide somewhere for this kind of setup. But I guess I'll have to piece all these RD> information snippets together.
There are plenty of guides available. I don't know your mother tongue, but seeing your last name, I assume you may be speaking German. Take a look at these German language guides:
https://www.it-management-kirchberger.at/manuals-tutorials/server-centos-7/p... https://www.dokuwiki.tachtler.net/doku.php https://dokuwiki.nausch.org/doku.php/centos:mail_c7:spam_6
I am sure others can provide other language guides as well.
best regards
Michael Schumacher
There are plenty of guides available. I don't know your mother tongue, but seeing your last name, I assume you may be speaking German. Take a look at these German language guides:
I do speak German, thanks for the links.
https://www.it-management-kirchberger.at/manuals-tutorials/server-centos-7/p...
I could not find anything there related to multidrop or "catch all" mailboxes.
Nothing like that there either.
This is a huge document with little introduction. It seems to be mostly about fighting spam. I did not find anything like the setup I described.
Regards, rdiez
[...]
I could not find anything there related to multidrop or "catch all" mailboxes. [...] Nothing like that there either. [...] This is a huge document with little introduction. It seems to be mostly about fighting spam. I did not find anything like the setup I described.
looks like the collective wisdom of this group can't provide precisely what you are looking for. You may need to figure it out by yourself.
Btw., why is an open port 25 evil if the MTA is configured correctly? Can you elaborate, please?
best regards
Michael Schumacher
I remember back in the dialup era there was a small company in Timisoara who tried to sell this kind of solution. (They started to sell servers after a while so I guess they didn't have much success selling their workaround) So I guess it is not trivial to sort again all the mails and deliver each one in a mailbox after you mixed all together in a single catchall mailbox. Could be done for sure but it is some work to do... Also there is some management: what to do with the catchall mailbox? Delete each mail after successfully downloaded? Use IMAP and sync it for a while to have a backup?
On 10/26/20 6:34 PM, Michael Schumacher wrote:
[...]
I could not find anything there related to multidrop or "catch all" mailboxes. [...] Nothing like that there either. [...] This is a huge document with little introduction. It seems to be mostly about fighting spam. I did not find anything like the setup I described. looks like the collective wisdom of this group can't provide precisely what you are looking for. You may need to figure it out by yourself.
Btw., why is an open port 25 evil if the MTA is configured correctly? Can you elaborate, please?
best regards
Michael Schumacher
On 26.10.20 17:45, Mihai Badici wrote:
So I guess it is not trivial to sort again all the mails and deliver each one in a mailbox after you mixed all together in a single catchall mailbox. Could be done for sure but it is some work to do...
Determining the intended recipient of a specific *copy* of an e-mail (info contained in the envelope) from that copy *after* "final" delivery (at the ISP, no more envelope, info *possibly* contained in pseudo headers of varying name and reliability) is *most definitely* nontrivial, and (used to be?) known as a prime cause of mail loops.
If you don't know *exactly* what you're doing, maintain your myriad of users/mailboxes *both* at the ISP and on your internal servers and put the "mails in ISP mailbox X *all* go into internal mailbox Y, and nowhere else!" relations "hardcoded" into your retrieval tool's config.
Regards,
Jochen Bern Systemingenieur
Binect GmbH
On 10/26/20 7:53 PM, Jochen Bern wrote:
So I guess it is not trivial to sort again all the mails and deliver each one in a mailbox after you mixed all together in a single catchall mailbox. Could be done for sure but it is some work to do... Determining the intended recipient of a specific *copy* of an e-mail (info contained in the envelope) from that copy *after* "final" delivery (at the ISP, no more envelope, info *possibly* contained in pseudo
On 26.10.20 17:45, Mihai Badici wrote: headers of varying name and reliability) is *most definitely* nontrivial, and (used to be?) known as a prime cause of mail loops.
If you don't know *exactly* what you're doing, maintain your myriad of users/mailboxes *both* at the ISP and on your internal servers and put the "mails in ISP mailbox X *all* go into internal mailbox Y, and nowhere else!" relations "hardcoded" into your retrieval tool's config.
Regards,
That's exactly why I recommended to use smtp relay. Maintaining two user's database without any password sync mechanism available it's asking for trouble. Well, with under 10 user you can manage...
As a bonus, you have a near "real mail system" and you eventually learn to manage it :)
You need SPF and DKIM for your outgoing email to be accepted.
My idea of a secure email server is to use submission port 587. Expose port 25 to the world and aggressively filter all remaining email ports with a firewall. And I mean aggressive. Geographically filter so only countries where youe users reside can send and retrieve email. Block major hosting IP space.
How many users will be on the system? If you can handle it, assign all the email passwords. This means you need to contact them out of band. I avoid cpanel or similar internet access to email settings. I use nothing but ssh to maintain my server.
Original Message
From: rdiezmail-2006@yahoo.de Sent: October 25, 2020 10:57 AM To: dovecot@dovecot.org Subject: Looking for a guide to collect all e-mail from the ISP mail server
Hi all:
I am evaluating mail server solutions for a small business. The trouble is, I am only a part-time admin and a newbie to mail servers.
Most guides I have seen are rather unrealistic: they encourage you to expose your e-mail server to the Internet, and hope that you have the resources to keep it patched up.
I would rather have an internal mail server that collects e-mails from a standard ISP mail server. It is like the old "POP3 Connector" that came with Microsoft Exchange. Sometimes, there is a mailbox per user on the ISP, and a corresponding one on the local server. Other times, there is a single "catch all" or "multidrop" mailbox on the ISP.
Users can still access their internal mailboxes from outside through an OpenVPN connection. The goal is that only VPN, and perhaps SSH, are accessible from the outside. We do not need to arrange any special SMTP configuration with the ISP either.
This kind of mail server setup is rather different to the standard configuration. You do not normally need you own antivirus and spam filter, and you do not need to configure SSL certificates, MX or SPF DNS records. Most ISP handle that correctly and economically. Internal e-mail does not leave your LAN, and your internal SMTP server is just a relay for the external ISP SMTP server.
Furthermore, most guides do not explain how to setup an autoresponder ("I am on holiday until xxx") so that users can enable theirs with the mouse. Editing configuration files over SSH is not really an option for normal users. This detail is important because it could be the only thing I need above standard e-mail. Further groupware features can be seen as nice but ultimately unnecessary luxury, and a basic shared calendar can be accomplished with a separate server like https://radicale.org/ and a calendar client like one built into Thunderbird. Hopefully, that is all I would need for a small business.
Can anyone point me to the kind of guide I need? Failing that, I would need information or examples about using fetchmail, getmail or similar software with Dovecot. Good or bad experiences from you guys would also help.
Each of those tools has a detailed man page, but there are many options and ways with different advantages and disadvantages. I would need a simpler guide to get started.
I am aware that there are pre-packaged mail server solutions that would perhaps bring an easy-to-use autoresponder, but I haven't seen one yet that where you could tick a box like "this server is only internal and collects mail from the ISP server" during installation. Nor have I seen instructions about reconfiguring the mail server for my ISP mail scenario.
I am prepared to learn more and write my own Perl scripts and/or installation guide, but it would be stupid to waste time if something easy already exists. After all, the setup I am describing (external ISP mail server + internal mail server) is not so weird.
Thanks in advance, rdiez
You need SPF and DKIM for your outgoing email to be accepted. [...]
I don't understand why that is the case (but keep in mind that I am a newbie).
Is it not possible to set up some internal SMTP server that only relies the e-mails to the external ISP SMTP server? The internal SMTP server would then act like a normal user's Thunderbird.
At first I tought that the internal SMTP server would need to know the password for each mailbox user. But then I asked, and the ISP SMTP server allegedly accepts any source e-mail address, as long as you are using one e-mail account that is valid in the domain. I wonder if that is standard practice.
My idea of a secure email server is to use submission port 587. Expose port 25 to the world and aggressively filter all remaining email ports with a firewall. And I mean aggressive. Geographically filter so only countries where youe users reside can send and retrieve email. Block major hosting IP space.
Geo blocking can be problematic. Depending on the small business, some customers and suppliers may sit in China or some other geographical area you would normally block.
I am too afraid, I would not expose any such port on the Internet. Who knows if the mail server stays months without an update. If I am to recommend or implement any such mail server solution to a small business, I would insist that the e-mail server is not exposed at all on the Internet.
A web interface etc. is not a problem: I just connect with a VPN and bypass most external security issues. If you are the admin, you can also forward the web interface over an SSH connection.
Best regards, rdiez
You look spammy if you don't have SPF or DKIM, and hopefully both. Your email will either be bounced or sent to a spam folder. You need a reverse pointer as well, but that shouldn't be an issue. The situation is actually worse than it sounds. ATT/SBC needs to whitelist you by IP if you are using a VPS. Spectrum/Charter just plain blocks many VPS with no recourse.
Regarding geofencing, look back at my post. I leave port 25 open to the world. I can receive email from any country. Using submission port 587 means you can geofence from where your employee sends and receives email. It does not effect your customers since they use port 25.
The reason I run my own email server is I got hacked when using a hosting service. The hacker used a vulnerability in RoundCube and could send email as me. My PayPal account password was then changed. The hacker was in Morocco. I'm sure Morocco is a fine country but I don't plan on visiting it and thus don't need to access my email from there. Note the hacker could have changed my email password too but didn't. To top it off, I don't even use RoundCube. Never use a browser for email.
When I set up my own email / webserver I made it a point to not use any GUI control panel. If there is no hook to change a password from a control panel then it won't happen. You reduce the attack surface. All passwords are SHA512.
You geofence all email ports except 25.
I also have a VPS using openvpn but it is on a different IP. That is a tunnel out of it to use the internet. Now I think for what you want to do is to have openvpn show up as the local host. What you might want to do is join the postfix users group. I wouldn't bring up this kind of proxied email scheme you want to set up. Rather just ask if it is possible to set up postfix/dovecot so that the user who will always be on a VPN can send and receive email. That is I think it will boil down to permit local host and nothing else in certain places. There are guru status users there.
One thing you will learn about email servers is there are many programs to chain together. However think of light bulbs in series. The more in the chain, the more likely it is to fail. I dropped SpamAssassin and amavisd due to poor reliability. That was when I used freeBSD. I now run centos but just don't bother with those extra programs. I use RBLs for spam blocking. I use my brain for antivirus. Antivirus isn't all that good anyway. The key with antivirus is at what point in time do they recognize the file is a virus. I send all my malware links to virus total.com and maybe two will recognize the link goes to malware.
Original Message
From: rdiezmail-2006@yahoo.de Sent: October 25, 2020 3:25 PM To: lists@lazygranch.com Cc: dovecot@dovecot.org Subject: Re: Looking for a guide to collect all e-mail from the ISP mail server
You need SPF and DKIM for your outgoing email to be accepted. [...]
I don't understand why that is the case (but keep in mind that I am a newbie).
Is it not possible to set up some internal SMTP server that only relies the e-mails to the external ISP SMTP server? The internal SMTP server would then act like a normal user's Thunderbird.
At first I tought that the internal SMTP server would need to know the password for each mailbox user. But then I asked, and the ISP SMTP server allegedly accepts any source e-mail address, as long as you are using one e-mail account that is valid in the domain. I wonder if that is standard practice.
My idea of a secure email server is to use submission port 587. Expose port 25 to the world and aggressively filter all remaining email ports with a firewall. And I mean aggressive. Geographically filter so only countries where youe users reside can send and retrieve email. Block major hosting IP space.
Geo blocking can be problematic. Depending on the small business, some customers and suppliers may sit in China or some other geographical area you would normally block.
I am too afraid, I would not expose any such port on the Internet. Who knows if the mail server stays months without an update. If I am to recommend or implement any such mail server solution to a small business, I would insist that the e-mail server is not exposed at all on the Internet.
A web interface etc. is not a problem: I just connect with a VPN and bypass most external security issues. If you are the admin, you can also forward the web interface over an SSH connection.
Best regards, rdiez
"Never use a browser for email."
I don't agree. In fact, using a browser for email or atleast initial setup, is actually more secure. This because SMTP/IMAP clients normally don't support 2FA, so you would have to "hack" a solution to enable 2FA for email.
This can be made in 2 ways: Either, you have a full fledged email setup. Whats important, is, to prevent auth-bypass holes, you remove the authentication in RoundCube or whatever webmail you use, and instead use a reverse-proxy or firewall authentication instead. Thus an unauthenticated user doesn't even touch RoundCube/webmail at all, but must authenticate at a prior stage.
The second way, is to not have webmail at all, but instead have a authentication gateway in browser, where you must auth with 2FA and captcha. The only purpose of this gateway, is to authenticate users with 2FA before their IP is whitelisted.
After this, you simply have a script, that upon valid login (with 2FA) in either webmail or auth gateway, you set the authorized IP of the user to this. Whats happen then, is that each account will have an authorized IP attached (you could limit it to the /24 to cater for mobile clients), and then login to that account, will only be accepted from that authorized IP.
This then allows SMTP/IMAP usage from that IP. If you want to go even more secure, you could restrict the firewall to the list of all IPs that all users have dynamically, and then in the SMTP/IMAP server, lock down auth to the authorized IP of that particular user account only.
Its very important, that upon authing with a incorrect IP, that the server responds in the same way as a invalid password was specified, in this way, if someone attempts to bruteforce the password, they will "miss" the correct password, if the server does not react differently to a correct password but invalid IP. Thus bots that bruteforce will not gain any success.
All this can be combined with permanent whitelists and geoIP whitelists, to avoid users having to authenticate with 2FA for "trusted" locations. One example would be to have the local office as permanent whitelist, and also have it that any IP in the user's "home country" is permanently whitelisted for his account once the user authenticates with 2FA.
Other IPs outside his home country, is then only whitelisted once, next 2FA login, the old whitelist is simply deleted.
Good luck with all that coding. I have four years now of running my own email server. Zero hacks. I keep the attack surface to a minimum. Less is more.
One thing you don't want to do is write your own code. This stuff is always way harder than you think. Worse yet you run alpha generation code because you are the only one using it. All software has bugs. What you need is a mass of users flogging the code and finding the bugs.
Now if you do use a browser, you have to deal with leaks, bugs, possible process interaction if more than one tab is open, and possibly browser extensions hacks if extensions are used.
Count me out.
And did you miss the part where I was hacked via RoundCube?
Original Message
From: sebastian@sebbe.eu Sent: October 25, 2020 9:47 PM To: dovecot@dovecot.org Reply-to: dovecot@dovecot.org Subject: SV: Looking for a guide to collect all e-mail from the ISP mail server
"Never use a browser for email."
I don't agree. In fact, using a browser for email or atleast initial setup, is actually more secure. This because SMTP/IMAP clients normally don't support 2FA, so you would have to "hack" a solution to enable 2FA for email.
This can be made in 2 ways: Either, you have a full fledged email setup. Whats important, is, to prevent auth-bypass holes, you remove the authentication in RoundCube or whatever webmail you use, and instead use a reverse-proxy or firewall authentication instead. Thus an unauthenticated user doesn't even touch RoundCube/webmail at all, but must authenticate at a prior stage.
The second way, is to not have webmail at all, but instead have a authentication gateway in browser, where you must auth with 2FA and captcha. The only purpose of this gateway, is to authenticate users with 2FA before their IP is whitelisted.
After this, you simply have a script, that upon valid login (with 2FA) in either webmail or auth gateway, you set the authorized IP of the user to this. Whats happen then, is that each account will have an authorized IP attached (you could limit it to the /24 to cater for mobile clients), and then login to that account, will only be accepted from that authorized IP.
This then allows SMTP/IMAP usage from that IP. If you want to go even more secure, you could restrict the firewall to the list of all IPs that all users have dynamically, and then in the SMTP/IMAP server, lock down auth to the authorized IP of that particular user account only.
Its very important, that upon authing with a incorrect IP, that the server responds in the same way as a invalid password was specified, in this way, if someone attempts to bruteforce the password, they will "miss" the correct password, if the server does not react differently to a correct password but invalid IP. Thus bots that bruteforce will not gain any success.
All this can be combined with permanent whitelists and geoIP whitelists, to avoid users having to authenticate with 2FA for "trusted" locations. One example would be to have the local office as permanent whitelist, and also have it that any IP in the user's "home country" is permanently whitelisted for his account once the user authenticates with 2FA.
Other IPs outside his home country, is then only whitelisted once, next 2FA login, the old whitelist is simply deleted.
Amen to that!
-----Original Message----- From: lists [mailto:lists@lazygranch.com] Sent: Monday, October 26, 2020 7:09 AM To: Dovecot Mailing List Subject: Re: SV: Looking for a guide to collect all e-mail from the ISP mail server
Good luck with all that coding. I have four years now of running my own email server. Zero hacks. I keep the attack surface to a minimum. Less is more.
One thing you don't want to do is write your own code. This stuff is always way harder than you think. Worse yet you run alpha generation code because you are the only one using it. All software has bugs. What you need is a mass of users flogging the code and finding the bugs.
Now if you do use a browser, you have to deal with leaks, bugs, possible process interaction if more than one tab is open, and possibly browser extensions hacks if extensions are used.
Count me out.
And did you miss the part where I was hacked via RoundCube?
On 25 Oct 2020, at 22:47, Sebastian Nielsen <sebastian@sebbe.eu> wrote:
The second way, is to not have webmail at all, but instead have a authentication gateway in browser, where you must auth with 2FA and captcha. The only purpose of this gateway, is to authenticate users with 2FA before their IP is whitelisted.
I mostly agree with the sentiments in your email, but whitelsiting IP addresses is a HORRIBLE idea and a massive gaping security hole and using a captcha is only slightly less horrible and user-hostile. If you are using 2FA there is absolutely no reason to use a captcha.
A 2FA gateway that reverse proxies the webmail is quite good, but enforcing good passwords and using TLS is good enough for nearly all use cases.
(I recently upped the minimum password length from 12 characters)
-- Ah we're lonely, we're romantic / and the cider's laced with acid / and the Holy Spirit's crying, Where's the beef? / And the moon is swimming naked / and the summer night is fragrant / with a mighty expectation of relief
1: I meant like this:
Without whitelisting, you can't login to SMTP or IMAP, password isn't valid at all.
To enable SMTP and IMAP, you then either surf ro webmail, or the 2FA gateway, and login with: Username + password + 2FA code + captcha.
When all is valid, then your IP is whitelisted for SMTP and IMAP access. This still means you have to use usename/password for SMTP/IMAP.
So how would this be a security hole? Instead of using only username+password for SMTP/IMAP? The whitelisting procedure ADDS to the security. The baseline security with username+password is already there, but now you ALSO need a whitelisted IP to even get a chance to authenticate.
Kind of stupid that there doesn't exist some common standard for 2FA that works in email clients. Some clients do support TLS client certificates, and some clients do support certain "extensions" for 2FA auth. But only common supported in all clients is password auth without 2FA, which is pretty insecure.
Outlook have solved 2FA auth with a webview that uses OAUTH to create a authentication token, for use with SMTP/IMAP using some proprietary extension with gmail and hotmail. But that webview is not something you can trigger from a third party service.
Captcha is there to prevent bruteforcing. If a valid captcha is submitted along with a 2FA code, you could lock out the account for 1 minute for each invalid attempt. If a invalid captcha is submitted, you ignore the request completely. This then prevents a attacker from flooding the server with invalid auth requests for the sole purpose of keeping a user locked out. (Account Lockout DDoS attack)
I had problems with my mail password getting hacked all the time. The instant I added IP whitelist to my system and blocked all non-approved IPs from authenticating at all (so you must have username + password + correct IP to gain access) - then all hacking of my passwords have stopped. IP lockout was the solution to my problems.
2: The idea with the reverse-proxy gateway, is only to prevent auth-bypass or non-authenticated security holes. If you have a web service that has a suspected vulnerability that could be used without authenticating, or could be used to bypass authentication, then you put a reverse proxy in front. The reverse proxy does the authentication, and only forwards requests belongning to authenticated users. Even if the webservice behind, has a auth-bypass hole, it cannot be exploited, as the reverse proxy is behind the service, and non-authenticated users cannot even touch the webservice at all.
-----Ursprungligt meddelande----- Från: dovecot-bounces@dovecot.org <dovecot-bounces@dovecot.org> För @lbutlr Skickat: den 27 oktober 2020 15:57 Till: dovecot mailing list <dovecot@dovecot.org> Ämne: Re: Looking for a guide to collect all e-mail from the ISP mail server
The second way, is to not have webmail at all, but instead have a authentication gateway in browser, where you must auth with 2FA and captcha. The only purpose of this gateway, is to authenticate users with 2FA before
On 25 Oct 2020, at 22:47, Sebastian Nielsen <sebastian@sebbe.eu> wrote: their IP is whitelisted.
I mostly agree with the sentiments in your email, but whitelsiting IP addresses is a HORRIBLE idea and a massive gaping security hole and using a captcha is only slightly less horrible and user-hostile. If you are using 2FA there is absolutely no reason to use a captcha.
A 2FA gateway that reverse proxies the webmail is quite good, but enforcing good passwords and using TLS is good enough for nearly all use cases.
(I recently upped the minimum password length from 12 characters)
-- Ah we're lonely, we're romantic / and the cider's laced with acid / and the Holy Spirit's crying, Where's the beef? / And the moon is swimming naked / and the summer night is fragrant / with a mighty expectation of relief
On Tue, 27 Oct 2020, Sebastian Nielsen wrote:
Kind of stupid that there doesn't exist some common standard for 2FA that works in email clients.
You can bodge it for HOTP/TOTP hardware token generators. Dovecot allows custom plugins to check passwords. The plugin can take passwords of the form {password}+{2fa-token}, then split each part to check against authentication systems to check validity.
Joseph Tam <jtam.home@gmail.com>
I would have to also hack the email client since I don't enter my 20 character high entropy password when I send or retrieve email.
You really need an email standard to integrate TOTP. To be realistic, you need Gmail to use it. Whatever Gmail wants is essentially a defacto standard. I live in the real world, so whatever Google wants, I comply.
Original Message
From: jtam.home@gmail.com Sent: October 27, 2020 3:57 PM To: dovecot@dovecot.org Subject: Re: SV: Looking for a guide to collect all e-mail from the ISP mail server
On Tue, 27 Oct 2020, Sebastian Nielsen wrote:
Kind of stupid that there doesn't exist some common standard for 2FA that works in email clients.
You can bodge it for HOTP/TOTP hardware token generators. Dovecot allows custom plugins to check passwords. The plugin can take passwords of the form {password}+{2fa-token}, then split each part to check against authentication systems to check validity.
Joseph Tam <jtam.home@gmail.com>
Whatever Gmail wants is essentially a defacto standard.
Gmail have solved it with a Oauth authorization scheme. Basically, first time setting up mail, you are asked to authenticate by 2FA in a webview, then a shared secret is established, that is used during SMTP and IMAP time. Both Hotmail and Gmail is using this hackish webview solution for Outlook integration (and integration in some other email clients).
Thats why Google and Microsoft have their own buttons inside Outlook and some other mail clients.
And which email clients can do this?
A defacto standard needs to be adopted. If I don't provide SPF or DKIM, I am likely to be deemed spammy, hence a defacto standard has been established. I don't see this with TOTP.
I'm all for TOTP, but I'm not going to code my own.
Original Message
From: sebastian@sebbe.eu Sent: October 27, 2020 5:56 PM To: dovecot@dovecot.org Reply-to: dovecot@dovecot.org Subject: SV: SV: Looking for a guide to collect all e-mail from the ISP mail server
Whatever Gmail wants is essentially a defacto standard.
Gmail have solved it with a Oauth authorization scheme. Basically, first time setting up mail, you are asked to authenticate by 2FA in a webview, then a shared secret is established, that is used during SMTP and IMAP time. Both Hotmail and Gmail is using this hackish webview solution for Outlook integration (and integration in some other email clients).
Thats why Google and Microsoft have their own buttons inside Outlook and some other mail clients.
On 27 Oct 2020, at 19:38, lists <lists@lazygranch.com> wrote:
And which email clients can do this?
Microsoft Outlook and Mail (Windows 10 and iOS) and Apple Mail in macOS and iOS and iPadOS, at least.
A defacto standard needs to be adopted. If I don't provide SPF or DKIM, I am likely to be deemed spammy, hence a defacto standard has been established. I don't see this with TOTP.
Those almost certainly cover a majority of email client users. And most gmail users simply use the web browser.
-- "Thank you for sending me a copy of your book; I'll waste no time reading it." - Moses Hadas
You look spammy if you don't have SPF or DKIM, and hopefully both. [...]
I don't want to worry about spam, SPF, DNS or the lot. That is what the ISP is there for. Most of them actually do a pretty good job for very little money in my experience. If not, you can always switch to another ISP.
Regarding geofencing, look back at my post. [...]
Geofencing is way too complicated. You would need a real e-mail consultant for that. 8-)
It is far easier to install OpenVPN, in order to avoid exposing anything else internal on the Internet. Then it is like the user is inside the LAN. There is nothing else to adjust in the mail server or anywhere else.
The reason I run my own email server is I got hacked when using a hosting service. [...]
I can understand that you got hacked. A nasty experience. But, if you think about it, your ISP got hacked, not you. If you open ports, your server may get hacked. And then the hacker is inside your network.
Hack attacks like yours is probably the reason why the European Union is forcing nowadays a kind of two-factor authentication for banks, PayPal etc.
The hacker did not change the e-mail password so that you do not realise immediately that you got hacked, and maybe immediately cancel your credit cards etc.
There is no way most part-time admins like me can provide better security than an ISP. Even paying for a more professional service is probably not worth it. It's an economic weighing exercise: how many get hacked, and what protection costs. I would start by securing PayPal etc. better, by using two-factor authentication like SMS or a separate mobile App to approve payments.
One thing you will learn about email servers is there are many programs to chain together. [...]
That is why I wanted the ISP to take over spam and virus detection. Most do a reasonable job, better than I could ever do anyway.
Best regards, rdiez
At 25 October, 2020 R. Diez wrote:
I am too afraid, I would not expose any such port on the Internet. Who knows if the mail server stays months without an update. If I am to recommend or implement any such mail server solution to a small business, I would insist that the e-mail server is not exposed at all on the Internet.
Setting and forgetting any server/service to run unpatched for months is generally a bad idea. I presume that you won't be maintaining this for them long term -- why not just point them at a hosting service like google apps, and let google keep things up to date?
why not just point them at a hosting service like google apps, and let google keep things up to date?
Costs money, and also the problem is that gmail imposes heavy spam filters and "reputation blocks" meaning smaller providers with low email volumes, are put in the spam folder, even if they never send spam, just because their email volume is so low (ergo, they must prove they don't spam before getting out of ispam folder)
Another thing is that you cannot impose IP restrictions when using Google Apps, or have SSO with trusted access from inside the office. (for example - scan your badge at the office door, your personal computer is automatically logged on and you get access to everything).
With locally hosted servers, of course you have to keep them updated. Most linux distributions can keep them updated automatically.
At 26 October, 2020 Sebastian Nielsen wrote:
why not just point them at a hosting service like google apps, and let google keep things up to date?
Oh they most certainly do :)
Costs money, and also the problem is that gmail imposes heavy spam filters and "reputation blocks" meaning smaller providers with low email volumes, are put in the spam folder, even if they never send spam, just because their email volume is so low (ergo, they must prove they don't spam before getting out of ispam folder)
OP is trying to come up with a solution to handle transactional email within members of the office and some vendors/clients, not bulk email like you're describing. As for "costs money", well everything in life does. You can't get a branch office's email system setup for free.
Another thing is that you cannot impose IP restrictions when using Google Apps, or have SSO with trusted access from inside the office. (for example - scan your badge at the office door, your personal computer is automatically logged on and you get access to everything).
Eh, sure -- I suppose if the country you're operating in doesn't have open communications with google ( https://transparencyreport.google.com/traffic/overview ) then yeah, you're gonna have a hard time. But this seems like a stretch for an argument against using a hosting provider.
With locally hosted servers, of course you have to keep them updated. Most linux distributions can keep them updated automatically.
My question was directed at OP as it sounded like they were coming in to
set something up once then moving on in life. I wouldn't say that _any_
major linux distro updates automatically. Rolling OS distros like arch
are constantly getting wedged and requiring a bit of manual attention to
nudge things along. Distros like fedora can sorta kinda run with a dnf upgrade
happening in a cron if you like to... I guess. Maybe something
like RHEL can be set and forgotten, but if you're paying for a RHEL
license then you're likely not going to abandon the host.
and also the problem is that gmail imposes heavy spam filters and "reputation blocks" meaning smaller providers with low email volumes, are put in the spam folder, even if they never send spam, just because their email volume is so low (ergo, they must prove they don't spam before getting out of ispam folder)
How do you know that?
Because when I email to friends that are using gmail, my mail ends up in spam unless my friends put me in whitelist. Seems to vary however, and seems to get better with time.
-----Ursprungligt meddelande----- Från: dovecot-bounces@dovecot.org <dovecot-bounces@dovecot.org> För Marc Roos Skickat: den 26 oktober 2020 09:07 Till: dovecot <dovecot@dovecot.org>; sebastian <sebastian@sebbe.eu> Ämne: RE: SV: Looking for a guide to collect all e-mail from the ISP mail server
and also the problem is that gmail imposes heavy spam filters and "reputation blocks" meaning smaller providers with low email volumes, are put in the spam folder, even if they never send spam, just because their email volume is so low (ergo, they must prove they don't spam before getting out of ispam folder)
How do you know that?
Citeren Sebastian Nielsen <sebastian@sebbe.eu>:
Because when I email to friends that are using gmail, my mail ends up in spam unless my friends put me in whitelist. Seems to vary however, and seems to get better with time.
In order to prevent ending up in spam in GMail, it is necessary to
have working DKIM and/or SPF for your messages and forward- and
reverse DNS records for your mailserver match.
On 26. Oct 2020, at 11.02, Arjen de Korte <build+dovecot@de-korte.org> wrote:
Citeren Sebastian Nielsen <sebastian@sebbe.eu>:
Because when I email to friends that are using gmail, my mail ends up in spam unless my friends put me in whitelist. Seems to vary however, and seems to get better with time.
In order to prevent ending up in spam in GMail, it is necessary to have working DKIM and/or SPF for your messages and forward- and reverse DNS records for your mailserver match.
Even that is not enough. Currently there is no way to guarantee that your email does not get silently dropped or moved to spam when working with gmail.
Sami
Actually the reverse pointer doesn't have to match. In fact this is impossible if you are setting up virtual accounts on one server for different domains. You just need to have a reverse pointer.
Most email servers look to seen if the reverse pointer has a "dyn" in it and blocks those.
Original Message
From: build+dovecot@de-korte.org Sent: October 26, 2020 2:02 AM To: dovecot@dovecot.org Subject: Re: SV: SV: Looking for a guide to collect all e-mail from the ISP mail server
Citeren Sebastian Nielsen <sebastian@sebbe.eu>:
Because when I email to friends that are using gmail, my mail ends up in spam unless my friends put me in whitelist. Seems to vary however, and seems to get better with time.
In order to prevent ending up in spam in GMail, it is necessary to have working DKIM and/or SPF for your messages and forward- and reverse DNS records for your mailserver match.
On 26. Oct 2020, at 11.36, lists <lists@lazygranch.com> wrote:
Actually the reverse pointer doesn't have to match. In fact this is impossible if you are setting up virtual accounts on one server for different domains. You just need to have a reverse pointer.
Most email servers look to seen if the reverse pointer has a "dyn" in it and blocks those.
Also your own email server is not behaving nicely:
<lists@lazygranch.com <mailto:lists@lazygranch.com>>: host lazygranch.com <http://lazygranch.com/>[198.199.119.111] said: 500 5.7.1 <83-136-254-93.uk <http://83-136-254-93.uk/>-lon1.upcloud.host[83.136.254.93]>: Client host rejected: eat a bag of dicks (in reply to RCPT TO command)
and for that reason I have blacklisted you from any help requests. You may do the same whatever you are telling me to do.
Sami
you should ask your ip provider to set a proper reverse lookup for you. If I would get a lot of spam from upcloud.host ips, I would also consider blocking upcloud.host reverse dns lookups. If it is your ip, it is an easy request to have it changed.
-----Original Message----- From: Sami Ketola [mailto:sami@ketola.io] Sent: Monday, October 26, 2020 11:22 AM To: lists Cc: Arjen de Korte; Dovecot Mailing List Subject: Re: Looking for a guide to collect all e-mail from the ISP mail server
On 26. Oct 2020, at 11.36, lists <lists@lazygranch.com> wrote:
Actually the reverse pointer doesn't have to match. In fact this is
impossible if you are setting up virtual accounts on one server for different domains. You just need to have a reverse pointer.
Most email servers look to seen if the reverse pointer has a "dyn"
in it and blocks those.
Also your own email server is not behaving nicely:
<lists@lazygranch.com>: host lazygranch.com[198.199.119.111] said: 500 5.7.1 <83-136-254-93.uk-lon1.upcloud.host[83.136.254.93]>: Client host rejected: eat a bag of dicks (in reply to RCPT TO command)
and for that reason I have blacklisted you from any help requests. You may do the same whatever you are telling me to do.
Sami
I assure you each IP address has only one reverse pointer at Digital Ocean. I know this because I set up the reverse pointer myself.
Original Message
From: M.Roos@f1-outsourcing.eu Sent: October 26, 2020 4:41 AM To: lists@lazygranch.com; sami@ketola.io Cc: build+dovecot@de-korte.org; dovecot@dovecot.org Subject: RE: Looking for a guide to collect all e-mail from the ISP mail server
you should ask your ip provider to set a proper reverse lookup for you. If I would get a lot of spam from upcloud.host ips, I would also consider blocking upcloud.host reverse dns lookups. If it is your ip, it is an easy request to have it changed.
-----Original Message----- From: Sami Ketola [mailto:sami@ketola.io] Sent: Monday, October 26, 2020 11:22 AM To: lists Cc: Arjen de Korte; Dovecot Mailing List Subject: Re: Looking for a guide to collect all e-mail from the ISP mail server
On 26. Oct 2020, at 11.36, lists <lists@lazygranch.com> wrote:
Actually the reverse pointer doesn't have to match. In fact this is impossible if you are setting up virtual accounts on one server for different domains. You just need to have a reverse pointer.
Most email servers look to seen if the reverse pointer has a "dyn" in it and blocks those.
Also your own email server is not behaving nicely:
<lists@lazygranch.com>: host lazygranch.com[198.199.119.111] said: 500 5.7.1 <83-136-254-93.uk-lon1.upcloud.host[83.136.254.93]>: Client host rejected: eat a bag of dicks (in reply to RCPT TO command)
and for that reason I have blacklisted you from any help requests. You may do the same whatever you are telling me to do.
Sami
As I previously stated the reverse pointer does not have to match your domain.
Suppose you ran a hosting company called host.com. Suppose you had clients client1.com and client2.com. This requires virtual mailboxes. That is one domain, host.com provides email services for client1.com and client2.com. Most servers would just have a reverse pointer to host.com.
Original Message
From: M.Roos@f1-outsourcing.eu Sent: October 26, 2020 7:04 AM To: build+dovecot@de-korte.org; dovecot@dovecot.org Subject: RE: SV: SV: Looking for a guide to collect all e-mail from the ISP mail server
and forward- and reverse DNS records for your mailserver match.
do even googles ips confirm to this standard?
I know. I am not stating this.
-----Original Message----- From: lists [mailto:lists@lazygranch.com] Sent: Monday, October 26, 2020 3:17 PM To: dovecot Subject: Re: SV: SV: Looking for a guide to collect all e-mail from the ISP mail server
As I previously stated the reverse pointer does not have to match your domain.
Suppose you ran a hosting company called host.com. Suppose you had clients client1.com and client2.com. This requires virtual mailboxes. That is one domain, host.com provides email services for client1.com and client2.com. Most servers would just have a reverse pointer to host.com.
Original Message
From: M.Roos@f1-outsourcing.eu Sent: October 26, 2020 7:04 AM To: build+dovecot@de-korte.org; dovecot@dovecot.org Subject: RE: SV: SV: Looking for a guide to collect all e-mail from the ISP mail server
and forward- and reverse DNS records for your mailserver match.
do even googles ips confirm to this standard?
Marc Roos skrev den 2020-10-26 15:04:
and forward- and reverse DNS records for your mailserver match. do even googles ips confirm to this standard?
i have never seen spf helo pass from google envelope senders
hint to owner of this maillist here
I have no problems with Gmail from Digital Ocean. But I have both spf, DKIM, DMARC and a reverse pointer. You need to not look spammy.
One advantage to using a VPS is your IP is unique. That is you don't share it with a spammer. Not so with hosted services.
Original Message
From: M.Roos@f1-outsourcing.eu Sent: October 26, 2020 1:06 AM To: dovecot@dovecot.org; sebastian@sebbe.eu Subject: RE: SV: Looking for a guide to collect all e-mail from the ISP mail server
and also the problem is that gmail imposes heavy spam filters and "reputation blocks" meaning smaller providers with low email volumes, are put in the spam folder, even if they never send spam, just because their email volume is so low (ergo, they must prove they don't spam before getting out of ispam folder)
How do you know that?
On 26. Oct 2020, at 11.08, lists <lists@lazygranch.com> wrote:
I have no problems with Gmail from Digital Ocean. But I have both spf, DKIM, DMARC and a reverse pointer. You need to not look spammy.
One advantage to using a VPS is your IP is unique. That is you don't share it with a spammer. Not so with hosted services.
All that is checked. SPF yes, DKIM yes, DMARC yes, personal ip address space and nothing spammy in the emails. Still randomly emails are silently dropped or moved to spam. Sometimes I can send an email without problems, sometimes identical email in terms of mail structure is silently dropped.
There is just no way to guarantee a delivery to gmail.
Sami
On 25 Oct 2020, at 22:51, Sebastian Nielsen <sebastian@sebbe.eu> wrote:
why not just point them at a hosting service like google apps, and let google keep things up to date?
Costs money,
Yes. That is a *good* thing. Running an unmaintained mail server is a BAD thing.
and also the problem is that gmail imposes heavy spam filters and "reputation blocks" meaning smaller providers with low email volumes,
I think you are confusing gmail and google apps (or whatever it is called now, seems to change all the time).
Another thing is that you cannot impose IP restrictions when using Google Apps, or have SSO with trusted access from inside the office. (for example - scan your badge at the office door, your personal computer is automatically logged on and you get access to everything).
Wow. That sounds sooooooper not secure.
With locally hosted servers, of course you have to keep them updated. Most linux distributions can keep them updated automatically.
You cannot keep a mail server automatically updated, sorry. That is a fantasy.
You can either spend money on someone know knows what they are doing in-house (more secure, more control, more money), or you can spend money on outsourcing someone who knows what they are doing (less money). The other option involves a pair of smoking boots and a crater and I do not recommend it.
-- Nothing like grilling a kosher dog over human hair to bring out the subtle flavors.
Running an unmaintained mail server is a BAD thing.
Of course. You maintain it.
I think you are confusing gmail and google apps (or whatever it is called now, seems to change all the time).
Google apps uses the same restrictions. What I recall, you can disable SPF and DKIM checks for trusted sources, but you cannot disable reputation checks.
Wow. That sounds sooooooper not secure.
How? Of course, you must have some sort of secure communication between the access controller system, and the system that manages logins for the computers and such. Then when you scan the badge at your personal office space (where only you have access), the access controller tells the system to automatically logon the computer.
Another way is to have a RFID card reader where you put the badge to login computer, and remove badge to logout. Also a easy and secure system, but requires lots of integration work if you want to use it with third-party services.
If you have own in-house servers, you can just tell those servers to check on-the-fly with the access control system if there is a valid card on the reader before giving computer X access to account Y - making it secure, since you can then not tamper with anything to bypass the auth check - the server, which is located in secure space, formally asks the access controller "master", which is also located in secure space, if user X is authenticated at reader Y.
You cannot keep a mail server automatically updated, sorry. That is a fantasy.
You can. Ubuntu have packages with mail servers automatically updated. However, sometimes manual intervention is required to change the config when some security holes appear that cannot be resolved with patches.
Why don't you configure all stuff internally and ask your provider to relay the e-mails from and to you via "smart relay"? You will communicate only via smtp and only with your provider, and you can use a nice open-source bundle ( dovecot is mandatory because you wrote on that list :) ) in your LAN.
Original Message
From: rdiezmail-2006@yahoo.de Sent: October 25, 2020 10:57 AM To: dovecot@dovecot.org Subject: Looking for a guide to collect all e-mail from the ISP mail server
Hi all:
I am evaluating mail server solutions for a small business. The trouble is, I am only a part-time admin and a newbie to mail servers.
Most guides I have seen are rather unrealistic: they encourage you to expose your e-mail server to the Internet, and hope that you have the resources to keep it patched up.
I would rather have an internal mail server that collects e-mails from a standard ISP mail server. It is like the old "POP3 Connector" that came with Microsoft Exchange. Sometimes, there is a mailbox per user on the ISP, and a corresponding one on the local server. Other times, there is a single "catch all" or "multidrop" mailbox on the ISP.
Users can still access their internal mailboxes from outside through an OpenVPN connection. The goal is that only VPN, and perhaps SSH, are accessible from the outside. We do not need to arrange any special SMTP configuration with the ISP either.
This kind of mail server setup is rather different to the standard configuration. You do not normally need you own antivirus and spam filter, and you do not need to configure SSL certificates, MX or SPF DNS records. Most ISP handle that correctly and economically. Internal e-mail does not leave your LAN, and your internal SMTP server is just a relay for the external ISP SMTP server.
Furthermore, most guides do not explain how to setup an autoresponder ("I am on holiday until xxx") so that users can enable theirs with the mouse. Editing configuration files over SSH is not really an option for normal users. This detail is important because it could be the only thing I need above standard e-mail. Further groupware features can be seen as nice but ultimately unnecessary luxury, and a basic shared calendar can be accomplished with a separate server like https://radicale.org/ and a calendar client like one built into Thunderbird. Hopefully, that is all I would need for a small business.
Can anyone point me to the kind of guide I need? Failing that, I would need information or examples about using fetchmail, getmail or similar software with Dovecot. Good or bad experiences from you guys would also help.
Each of those tools has a detailed man page, but there are many options and ways with different advantages and disadvantages. I would need a simpler guide to get started.
I am aware that there are pre-packaged mail server solutions that would perhaps bring an easy-to-use autoresponder, but I haven't seen one yet that where you could tick a box like "this server is only internal and collects mail from the ISP server" during installation. Nor have I seen instructions about reconfiguring the mail server for my ISP mail scenario.
I am prepared to learn more and write my own Perl scripts and/or installation guide, but it would be stupid to waste time if something easy already exists. After all, the setup I am describing (external ISP mail server + internal mail server) is not so weird.
Thanks in advance, rdiez
Why don't you configure all stuff internally and ask your provider to relay the e-mails from and to you via "smart relay"? You will communicate only via smtp and only with your provider, [...]
When you are a small business or a volunteer-run club or charity, you don't ask your provider. You have no leverage. You may not even be able to change provider so easily.
Besides, the way you suggest means opening a SMTP port to the outside world. A security risk and more work at the firewall etc.
From what I gathered to date, there should be nothing wrong with collecting e-mails from a catch-all/multidrop POP3/IMAP4 mailbox, so I will carry on pursuing this method.
Regards, rdiez
Besides, the way you suggest means opening a SMTP port to the outside world. A security risk and more work at the firewall etc.
You can just allow some ip addresses of your provider to connect, not? Nothing outside world.
Yes, you all want me to open ports. I'm sorry guys, but I won't budge:
Opening a port means reconfiguring the firewall. You may find it funny, but some non-profits have no firewall, just a standard ADSL router. The ones that the telecom company provides often has no IP filtering abilities.
I will not expose an SMTP server to the outside word. I will not install in, or advise to, a small business a piece of software that craves for attention (patch me, patch me!).
Of course I can ask the current ISP. And they may comply. But how about the next one?
Of course I can filter my provider's IP in some Linux firewall. But then the provider will change its setup and won't tell me. Or I will not have time to modify the configuration. Or the next person will not have time just this week.
There is really no need. A multidrop / "catch all" mailbox should work fine. And it is a pretty standard feature in all ISPs I know of. Many people are using this kind of setup.
It's only that it is hard to learn, because there is no single, complete tutorial for this kind setup that I have found yet. But I am collecting more info, so maybe I will end up writing one myself.
- Even if it does not make sense, I want to learn how to do it. Just for fun.
You probably mean it well, but if that is all the advice you can give me, it is not really helping!
I really still think that you should not advise other people to expose servers on the Internet if there is not really a _very_ good reason, especially for small businesses or volunteer-driven clubs or charities. The only good reasons I found yet are for SSH and OpenVPN. Anything else is a "no go" in this kind of environment.
Regards, rdiez
Yes, you all want me to open ports. I'm sorry guys, but I won't budge:
- Opening a port means reconfiguring the firewall. You may find it funny, but some non-profits have no firewall, just a standard ADSL router. The ones that the telecom company provides often has no IP filtering abilities.
Read your router manual, you can easily only port forward from a single or multiple ips to your local
- I will not expose an SMTP server to the outside word. I will not install in, or advise to, a small business a piece of software that craves for attention
The problem is your knowledge is limited, and therefore draw incorrect conclusions. So maybe try and find someone that has more knowledge in your group, or ask around in your charity.
- Of course I can ask the current ISP. And they may comply. But how about the next one?
What next one? You should stick with your ISP for years, I have.
- Of course I can filter my provider's IP in some Linux firewall. But then the provider will change its setup and won't tell me. Or I will not have time to modify the configuration. Or the next person will not have time just this week.
These things do not change. I did not change my mail ip's the last 10 years or so. I guess only 'hillbillies' that hop around from supplier to supplier to cut a few dollars a month do this.
When you are a small business or a volunteer-run club or charity, you don't ask your provider. You have no leverage. You may not even be able to change provider so easily.
Just ask, I will bet they do it. They do not need to configure that much even I think. By default smtp servers are queueing mail for down hosts.
On 10/26/20 4:16 PM, R. Diez wrote:
Why don't you configure all stuff internally and ask your provider to relay the e-mails from and to you via "smart relay"? You will communicate only via smtp and only with your provider, [...]
When you are a small business or a volunteer-run club or charity, you don't ask your provider. You have no leverage. You may not even be able to change provider so easily.
Besides, the way you suggest means opening a SMTP port to the outside world. A security risk and more work at the firewall etc.
From what I gathered to date, there should be nothing wrong with collecting e-mails from a catch-all/multidrop POP3/IMAP4 mailbox, so I will carry on pursuing this method.
Regards, rdiez
You will open the smtp port only to your provider. The provider will receive mails for your domain and will send your mails for outside world. He can relay them to you on an arbitrary port you can open only for that server. You may have right you can't ask him this kind of setup but if they already run an e-mail server ( and most of them actually do that) it is not such a big effort to add two lines in their server config, it cost nothing to ask :) That will allow you to run a complete mail suite almost as in the "real world".
Your approach is ok but is more complicated. That's why I suggested this setup, which is simplest but indeed need a little help from your provider ( for no matter which provider, in fact).
On 10/26/20 4:16 PM, R. Diez wrote:
Why don't you configure all stuff internally and ask your provider to relay the e-mails from and to you via "smart relay"? You will communicate only via smtp and only with your provider, [...]
When you are a small business or a volunteer-run club or charity, you don't ask your provider. You have no leverage. You may not even be able to change provider so easily.
Besides, the way you suggest means opening a SMTP port to the outside world. A security risk and more work at the firewall etc.
From what I gathered to date, there should be nothing wrong with collecting e-mails from a catch-all/multidrop POP3/IMAP4 mailbox, so I will carry on pursuing this method.
Regards, rdiez
Hi,
I am evaluating mail server solutions for a small business. The trouble is, I am only a part-time admin and a newbie to mail servers.
I too would strongly advise you to use Google Workspace (the recent new name for G Suite, previously known as Google Apps). It's cheap, very reliable, and has all features you can dream of, including an autoresponder. It's unrealistic to think that it's possible to beat a service that costs a mere USD 6 / user / month (and is free for nonprofits!).
Gregory
I too would strongly advise you to use Google Workspace (the recent new name for G Suite, previously known as Google Apps). It's cheap, very reliable, and has all features you can dream of, including an autoresponder. It's unrealistic to think that it's possible to beat a service that costs a mere USD 6 / user / month (and is free for nonprofits!).
I would not advice any company that is continuously being fined for breaking the law.
I too would strongly advise you to use Google Workspace (the recent new name for G Suite, previously known as Google Apps). It's cheap, very reliable, and has all features you can dream of, including an autoresponder. It's unrealistic to think that it's possible to beat a service that costs a mere USD 6 / user / month (and is free for nonprofits!).
I would not advice any company that is continuously being fined for breaking the law.
This is not only an overstatement, it is completely irrelevant. Given the OP problem statement (small business, part-time admin, newbie to mail servers), I do not think there is a better solution. A small server already costs 20 USD / month, running a mail server consumes a significant amount of resources, and as the OP mentions running a mail server also represents a high security risk.
I would not advice any company that is continuously being fined for breaking the law.
This is not only an overstatement, it is completely irrelevant. Given the OP problem statement (small business, part-time admin, newbie to mail servers), I do not think there is a better solution A small server already costs 20 USD / month, running a mail server consumes a significant amount of resources, and as the OP mentions running a mail server also represents a high security risk.
Guys, this kind of advice is not helping me either.
First of all, I want to learn how to do it, just for fun. Even if paying for a hosted solution is an economically better solution. It's not for me to decide anyway.
I will not recommend Google. Ever heard of data protection and data confidentiality? And then you are completely dependent. Your are nothing for a huge company like Google. If they lose your complete e-mail database, they will tell you that they are awfully sorry. If at all.
And no, running a mail server does not "consume a significant amount of resources". Any 10-year-old laptop can easily cater for a small business.
Besides, paying $6/user/month is actually very expensive for some small organisations. If you have 20 volunteers coming to the help in a small public library once a month, that would be $1440 a year just for e-mail services. Most such people would continue to use private Hotmail addresses. I would rather install a Synology NAS and use whatever e-mail service it comes with it.
An on-premise mail server is, and should be, virtually free, at least for a basic e-mail service. No need for cloud. No need to expose any ports. No need to configure the firewall. No need to ask anything from your ISP.
I have seen it running like that on existing small businesses with Microsoft Exchange and the POP Connector. It is just that Microsoft wants you to pay a subscription now, probably because the old licence fees are way cheaper than $6/user/month.
If Linus had been reading this mailing list, we would all be paying lawyers to contract professional Sun/Oracle consultants to run our software on certified Solaris servers!
Regards, rdiez
First of all, I want to learn how to do it, just for fun.
Okay, that was not what you initially said. Some comments below, nonetheless.
I will not recommend Google. Ever heard of data protection and data confidentiality?
Your data is stored confidentially by Google, obviously. Otherwise nobody would use their services.
And then you are completely dependent. Your are nothing for a huge company like Google. If they lose your complete e-mail database, they will tell you that they are awfully sorry. If at all.
The likelihood that Google loses your email is far less than the likelihood that your server has a disk failure, gets hacked and rm -rf'd, is stolen, burns in a fire, and so forth.
And no, running a mail server does not "consume a significant amount of resources". Any 10-year-old laptop can easily cater for a small business.
I meant human resources, obviously.
Besides, paying $6/user/month is actually very expensive for some small organisations. If you have 20 volunteers coming to the help in a small public library once a month, that would be $1440 a year just for e-mail services.
I'll say it again: Google is _free_ for nonprofits. Free: $0/user/month, for as many users as you want.
On 10/26/20 11:24 AM, Gregory Heytings wrote:
Your data is stored confidentially by Google, obviously. Otherwise nobody would use their services.
My keyboard is now COMPLETELY saturated with coffee. Some hit my display this time, too.
-Dave
-- Dave McGuire, AK4HZ New Kensington, PA
I hate to have to use this cliché "if you believe that I have a great one owner bridge for sale". There is no positively secure store for any purpose that has even a remote possibility of being connected to the internet. As can be seen to secure data = no connection to internet, save money keep my private data on a random server who knows where = insecure data.
Steve hanselman
-----Original Message----- From: dovecot <dovecot-bounces@dovecot.org> On Behalf Of Dave McGuire Sent: Monday, October 26, 2020 8:30 AM To: dovecot@dovecot.org Subject: Re: Looking for a guide to collect all e-mail from the ISP mail server
On 10/26/20 11:24 AM, Gregory Heytings wrote:
Your data is stored confidentially by Google, obviously. Otherwise nobody would use their services.
My keyboard is now COMPLETELY saturated with coffee. Some hit my display this time, too.
-Dave
-- Dave McGuire, AK4HZ New Kensington, PA
First of all, I want to learn how to do it, just for fun.
If you want to do this yourself for fun, here is what I believe a good way to do it:
install and configure Dovecot with one account for each user; see for example https://doc.dovecot.org/configuration_manual/quick_configuration/
install and configure OfflineIMAP to synchronize the IMAP folders between your ISP IMAP server and your Dovecot server; see for example http://www.offlineimap.org/doc/quick_start.html
At this point you should have a functional IMAP server, and your users can use your ISP SMTP server to send their mails.
If you want to go one step further, and want your users to send their mails through your server, install and configure Postfix; see for example http://www.postfix.org/SOHO_README.html or https://www.howtoforge.com/how-to-relay-email-on-a-postfix-server
If you want to go another step further, and want to remove the mails from your ISP IMAP server (instead of just mirroring it in Dovecot), install and configure Fetchmail; see for example https://www.linode.com/docs/guides/using-fetchmail-to-retrieve-email/
- install and configure OfflineIMAP to synchronize the IMAP folders between your ISP IMAP server and your Dovecot server; see for example http://www.offlineimap.org/doc/quick_start.html
OfflineIMAP is not the way to go. Many ISPs have very low size limits for the mailbox sizes. The one I am looking at right now does have this problem (unless you pay extra).
From what I have gathered now, your hints about Postfix and fetchmail are correct. The trouble is that those doc pages are not real-life, complete examples with Dovecot of the two possible ways: 1) multidrop/catch all, and 2) one mailbox per user.
Yes, I should be able to piece it all together. I will probably try. I just find it surprising that there is no such a complete guide yet. Because I am sure that there are a few gotchas along the way.
Yes, getmail is an alternative, and that looks like a good way too. But it's the same problem: the article is not complete. It states "how you could arrange it". It would be nice that you did not have to manually write a getmail config file per user. And an example for multidrop is missing. There is a note at the end that you should carefully plan the transport ways, but I wouldn't know yet what to do in that respect.
It's just not a guide that I can follow from top to bottom to get a first working mail server to play with. That makes it pretty hard for me at this time. I will need much more time to learn and test every little detail myself. I'm not promising anything, but I may actually invest the time if I don't find anything else more interesting in the meantime. 8-)
In any case, thanks for the hints. I know now what the way to go is. Those pesky port 25 people are not going to get me! ;-)
Regards, rdiez
The reason there's no pretty complete how-to is because what you're doing seems completely insane to the vast majority of people who'd look at your problem and select your way of approaching solving it.
Yeah, you can also host your own website off of a DSL line, using a rasp-pi connected via a ham data relay which is faxing pages back and forth over a couple of soup-cans and string - etc, etc, etc.
While I get, at least in principle, why you want to do it your way - you've selected a particularly painful, and super time-expensive way, IMO.
A VPS for like $10 a month would do everything you want to do. Run Ubuntu on it, and allow Ubuntu to do security updates and restarts and you'll almost certainly be fine. If you want, get a fully managed VPS for a little more, and they'll do all that for you.
Or, one of a hundred other ways to accomplish handling mail - but you've picked one of the oddest, most difficult ways...and then "complain" that there's no examples. Yeah, 'cause no-one wants to do it your way because it's crazy.
Sorry dude - I kinda get it, but no, I'd never pick your way of doing it, and I'm not surprised that there's almost no one who has cranked a complete example of it either.
Not trying to make fun of you, but dang, the time wasted in this thread could probably have paid for 5 years of hosted mailcow.
Cheers! Do have fun.
-Greg
- install and configure OfflineIMAP to synchronize the IMAP folders between your ISP IMAP server and your Dovecot server; see for example http://www.offlineimap.org/doc/quick_start.html
RD> OfflineIMAP is not the way to go. Many ISPs have very low size RD> limits for the mailbox sizes. The one I am looking at right now does have this problem RD> (unless you pay extra).
RD> From what I have gathered now, your hints about Postfix and RD> fetchmail are correct. The trouble is that those doc pages are not real-life, complete RD> examples with Dovecot of the two possible ways: 1) RD> multidrop/catch all, and 2) one mailbox per user.
RD> Yes, I should be able to piece it all together. I will probably RD> try. I just find it surprising that there is no such a complete guide yet. Because I RD> am sure that there are a few gotchas along the way.
RD> Yes, getmail is an alternative, and that looks like a good way RD> too. But it's the same problem: the article is not complete. It states "how you could RD> arrange it". It would be nice that you did not have to manually RD> write a getmail config file per user. And an example for multidrop is missing. There RD> is a note at the end that you should carefully plan the transport RD> ways, but I wouldn't know yet what to do in that respect.
RD> It's just not a guide that I can follow from top to bottom to get RD> a first working mail server to play with. That makes it pretty hard for me at this RD> time. I will need much more time to learn and test every little RD> detail myself. I'm not promising anything, but I may actually invest the time if I RD> don't find anything else more interesting in the meantime. 8-)
RD> In any case, thanks for the hints. I know now what the way to go RD> is. Those pesky port 25 people are not going to get me! ;-)
RD> Regards, RD> rdiez
"lists" == lists <lists@lazygranch.com> writes:
lists> Ditto this. I pay for a VPS because I don't want my home facing lists> the internet. If the VPS gets hacked, that is as far as they lists> get.
Same here, I do this as well.
lists> You could do a mail server on a $5 Digital Ocean or Linode VPS lists> if you don't run SpamAssassin. Rather than have your email lists> server on a 10 year old laptop, you let someone else maintain lists> the hardware. You can and should image your VPS or pay for lists> imaging. I do both.
Linode is better, if only because charter.net is blocking all of Digital Ocean's netblocks for email. Sigh...
lists> My pipe to the outside world is around 800mbps. I couldn't do lists> that at home. I don't have to worry about leaving a computer lists> running while on vacation.
Same here!
lists> Should the OP want to join the real world, here again in the lists> guide I use. I like this person's approach because you can test lists> each step. The maintenance is gui free. From start to finish lists> figure on three hours. That includes setting up the VPS, spf, lists> and DKIM. I strongly encourage Centos. I don't use it at home, lists> but it is great for a server. It is a long term disty.
This nice thing about a VPS is that it's got redundant power, networking, cooling, etc. I pay $5/mon and another $6/qtr for my domain DNS hosting. Trivial costs for my own domain.
Dovecot, postfix, spamassasin, etc. If you need more anti-spam, then you'll need to spend $10/mon for a bigger memory VM in my expierence.
John
On 26 Oct 2020, at 09:11, R. Diez <rdiezmail-2006@yahoo.de> wrote:
I would not advice any company that is continuously being fined for breaking the law.
This is not only an overstatement, it is completely irrelevant. Given the OP problem statement (small business, part-time admin, newbie to mail servers), I do not think there is a better solution A small server already costs 20 USD / month, running a mail server consumes a significant amount of resources, and as the OP mentions running a mail server also represents a high security risk.
Guys, this kind of advice is not helping me either.
First of all, I want to learn how to do it, just for fun. Even if paying for a hosted solution is an economically better solution. It's not for me to decide anyway.
If you want to do it for fun and learning, setup a private mail server for yourself and maybe some friends. You do not have "fun" with a company's emails, not even a non-profit. ESPECAILLY since you have rather sepcific legal restrictions and requirements on that email.
Doing it yourself is possible IF you already know what you are doing very well. Doing this yourself as a "fun learning experiment" is irresponsible.
I will not recommend Google. Ever heard of data protection and data confidentiality? And then you are completely dependent. Your are nothing for a huge company like Google. If they lose your complete e-mail database, they will tell you that they are awfully sorry. If at all.
You are still confusing two very different things, the paid Google hosting service and the free gmail service. They are not the same thing. You paranoia is based on ignorance. You do not, obviously have to go with Google. There are many other choices. Hundreds. Your government may even have a list of companies that comply with German and European laws.
And no, running a mail server does not "consume a significant amount of resources". Any 10-year-old laptop can easily cater for a small business.
That depends. You need to find an 18yo laptop that can run a current OS with current security libraries, so that's a stretch right there. And while it may not consume a lot of CPU resources, it consumes a lot of human/brain resources. It takes knowledge which takes time. Your idea that you can just setup a mialserver and walk away and never look at it again is laughable.
Besides, paying $6/user/month is actually very expensive for some small organisations.
Depends on what the cost of, for example, having all your email ransomwared or published to some website costs. If your non-profit gets funding, your country and the EU have very strict laws on the security of email and the requirement to keep it archived and to ensure the data cannot get out. You may be facing serious fines or even jail time if you setup an mail server badly that results (as it almost surely will) a third party accessing that mail.
If you have 20 volunteers coming to the help in a small public library once a month, that would be $1440 a year just for e-mail services.
If you feel the need to give 20 volunteers individual, personal email addresses, sure. $1500 a year for any sort of business, even a non-profit, is not a significant cost.
Most such people would continue to use private Hotmail addresses. I would rather install a Synology NAS and use whatever e-mail service it comes with it.
You have to pay for that too.
An on-premise mail server is, and should be, virtually free,
It is not. You need someone to admin it. You need someone to be vigilant and see when things are going wrong, or when an intruder has gained access, or when your DNS has expired, or your certificates need to be renewed, or a major system update is required. You also need (well, should have) a backup server, UPS systems (check those batteries!) and a whole host of other things that need to be done.
at least for a basic e-mail service. No need for cloud. No need to expose any ports. No need to configure the firewall. No need to ask anything from your ISP.
You cannot send or receive any email if all your ports are closed. In order to communicate with anyone else, you must have the ability to connect to them.
But it sure sounds like you've made up your mind to make the worst decision and are ignoring the advice of many people who do this all day, everyday. Good luck with that.
Please check with your legal counsel first, you may be shocked as to what the EU and Germany actually require and what penalties you face when you decide to ignore those requirements. For example, are you aware that Germany requires TLS encryption on all email? And has more stringent E2EE requirements on many emails?
-- "Let's get back to syntax of procmail and forget the syntax of fools." Don
EU have very strict laws on the security of email and the requirement to keep it archived and to ensure the data cannot get out.
No. GDPR is very organization-specific, meaning that a small organization or non-profit with 5 employees, don't need the same security as a 100 employee multi-million dollar organization.
They were going to require small companies and even private persons processing data outside of the "personal space" limitation, to have the same sort of physical and digital security as any multi-billion dollar corporation, and require those that cannot cash up for such security, to only use hosted cloud services and rented centrally-managed computers without any own IT department.
Of course, they dropped that idea, because it was not fair against small companies. They changed the ruling so the amount of security you need, is dependant on how much people is at risk if the emails leak, and what type of content the email has (if it has sensitive data, requirements are higher).
But also, export of data to third-world countries is not permitted at all, regardless of organization size, due to the data losing legal protection (if someone outside EU leaks the data, you cannot hold someone responsible), unless specific requirements are met.
This means, a somewhat maintained mail server, physically located at a company, is much better than using a hosted cloud service, as the cloud services usually take extra payment to keep the data inside EU.
Same with the rulings on security bulletins - if you have a multi-billion dollar company then you are expected to apply security fixes and patches, even on a Saturday night. They are obliged by EU law to have alarms that wake them up on any major security bulletin regarding any of the server software.
For a small non-profit or family company - its OK to wait until business hours with that - if that leads to the server being hacked - its okay. You did what you could. Novody expects you to be available 24/7 to patch 0-days.
So its totally dependand on what type of organization you run, and the size
- that govern how much security you need.
And no, you don't need an UPS or backuped ISP connections, unless you run something mission critical. Most mailservers will queue mails for several days, so if your mailserver disappear for 1-2 days, it don't matter. The "availability" requirements of GDPR only applies to society-cricical services where it can actually cause harm to end-users if a service is down.
If its just a small non-profit with 5 employees, GDPR is not gonna care because the email server was down for a day or two.
On 10/26/20 10:26 AM, Gregory Heytings wrote:
I too would strongly advise you to use Google Workspace (the recent new name for G Suite, previously known as Google Apps). It's cheap, very reliable, and has all features you can dream of, including an autoresponder. It's unrealistic to think that it's possible to beat a service that costs a mere USD 6 / user / month (and is free for nonprofits!).
You're advocating storing confidential business or personal data on the servers of the world's largest data mining company, and one that is rapidly becoming quite evil.
It's hard to imagine anyone being that dumb, but then this society has been surprising me a lot in recent years.
-Dave
-- Dave McGuire, AK4HZ New Kensington, PA
It's hard to imagine anyone being that dumb, but then this society has been surprising me a lot in recent years.
If I tell some woman in the store that she is about to buy an energy drink promoted by/having a picture of a convicted rapist. They look at me weird and the most stupid response I got was 'but I am not buying it for myself'.
On 10/26/20 11:07 AM, Marc Roos wrote:
It's hard to imagine anyone being that dumb, but then this society has been surprising me a lot in recent years.
If I tell some woman in the store that she is about to buy an energy drink promoted by/having a picture of a convicted rapist. They look at me weird and the most stupid response I got was 'but I am not buying it for myself'.
coffee -> keyboard
-- Dave McGuire, AK4HZ New Kensington, PA
I too would strongly advise you to use Google Workspace (the recent new name for G Suite, previously known as Google Apps). It's cheap, very reliable, and has all features you can dream of, including an autoresponder. It's unrealistic to think that it's possible to beat a service that costs a mere USD 6 / user / month (and is free for nonprofits!).
You're advocating
I'm not advocating, I give the OP an advice, which he is (and you are) free to ignore.
storing confidential business or personal data on the servers of the world's largest data mining company, and one that is rapidly becoming quite evil.
That's nonsense. I will give one example: Airbus, the European aerospace corporation, uses Google Workspace. If there is one single company in the world that would have every possible reason to not store their "confidential business data" on the servers of an American company, it's Airbus. Yet they do it.
On 10/26/20 11:09 AM, Gregory Heytings wrote:
I too would strongly advise you to use Google Workspace (the recent new name for G Suite, previously known as Google Apps). It's cheap, very reliable, and has all features you can dream of, including an autoresponder. It's unrealistic to think that it's possible to beat a service that costs a mere USD 6 / user / month (and is free for nonprofits!).
You're advocating
I'm not advocating, I give the OP an advice, which he is (and you are) free to ignore.
And now you're splitting hairs on terminology. This suggests a particular approach to an disagreement, and is not doing you any good.
storing confidential business or personal data on the servers of the world's largest data mining company, and one that is rapidly becoming quite evil.
That's nonsense. I will give one example: Airbus, the European aerospace corporation, uses Google Workspace. If there is one single company in the world that would have every possible reason to not store their "confidential business data" on the servers of an American company, it's Airbus. Yet they do it.
I'm sure they do. Are you now suggesting that mega-corporations only ever do things in the best or smartest way?
I can point out examples of people and corporations doing stupid things all day long. There are LOTS of examples, everywhere. This doesn't mean they're not stupid.
I'm sorry buddy, your credibility hit rock bottom in your first post, and your subsequent posts aren't helping.
Have a nice day. *plonk*
-Dave
-- Dave McGuire, AK4HZ New Kensington, PA
That's nonsense. I will give one example: Airbus, the European aerospace corporation, uses Google Workspace.
What do they store there? That is the question, maybe some irrelevant data, I doubt if they store CAD drawings online or data that is protected by GDPR legislation. And even when, are you going to burn books, when Airbus is going to burn books?
participants (21)
-
@lbutlr
-
Arjen de Korte
-
Benny Pedersen
-
Dave McGuire
-
Gregory Heytings
-
Gregory Sloop
-
Jochen Bern
-
John Stoffel
-
Joseph Tam
-
lists
-
Marc Roos
-
Michael Schumacher
-
Mihai Badici
-
Peter
-
Peter Blair
-
R. Diez
-
Robert Schetterer
-
Sami Ketola
-
Scott Q.
-
Sebastian Nielsen
-
Stephen Hanselman