Am 25.10.20 um 21:01 schrieb Marc Roos:

Maybe get something like Zimbra, such solutions also have support that you can buy when you need it or don't have time (I guess).

-----Original Message----- From: R. Diez [mailto:rdiezmail-2006@yahoo.de] Sent: Sunday, October 25, 2020 6:57 PM To: dovecot@dovecot.org Subject: Looking for a guide to collect all e-mail from the ISP mail server

Hi all:

I am evaluating mail server solutions for a small business. The trouble is, I am only a part-time admin and a newbie to mail servers.

Most guides I have seen are rather unrealistic: they encourage you to expose your e-mail server to the Internet, and hope that you have the resources to keep it patched up.

I would rather have an internal mail server that collects e-mails from a standard ISP mail server. It is like the old "POP3 Connector" that came with Microsoft Exchange. Sometimes, there is a mailbox per user on the ISP, and a corresponding one on the local server. Other times, there is a single "catch all" or "multidrop" mailbox on the ISP.

Users can still access their internal mailboxes from outside through an OpenVPN connection. The goal is that only VPN, and perhaps SSH, are accessible from the outside. We do not need to arrange any special SMTP configuration with the ISP either.

This kind of mail server setup is rather different to the standard configuration. You do not normally need you own antivirus and spam filter, and you do not need to configure SSL certificates, MX or SPF DNS records. Most ISP handle that correctly and economically. Internal e-mail does not leave your LAN, and your internal SMTP server is just a relay for the external ISP SMTP server.

Furthermore, most guides do not explain how to setup an autoresponder ("I am on holiday until xxx") so that users can enable theirs with the mouse. Editing configuration files over SSH is not really an option for normal users. This detail is important because it could be the only thing I need above standard e-mail. Further groupware features can be seen as nice but ultimately unnecessary luxury, and a basic shared calendar can be accomplished with a separate server like https://radicale.org/ and a calendar client like one built into Thunderbird. Hopefully, that is all I would need for a small business.

Can anyone point me to the kind of guide I need? Failing that, I would need information or examples about using fetchmail, getmail or similar software with Dovecot. Good or bad experiences from you guys would also help.

Each of those tools has a detailed man page, but there are many options and ways with different advantages and disadvantages. I would need a simpler guide to get started.

I am aware that there are pre-packaged mail server solutions that would perhaps bring an easy-to-use autoresponder, but I haven't seen one yet that where you could tick a box like "this server is only internal and collects mail from the ISP server" during installation. Nor have I seen instructions about reconfiguring the mail server for my ISP mail scenario.

I am prepared to learn more and write my own Perl scripts and/or installation guide, but it would be stupid to waste time if something easy already exists. After all, the setup I am describing (external ISP mail server

• internal mail server) is not so weird.

Thanks in advance, rdiez

see https://blog.sys4.de/abholdienst-fur-mail-de.html

-- [*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein

Hello R,

reply inline below:

Am 25.10.20 um 23:12 schrieb R. Diez:

...

That way your users can create their vacancies with the ISP portal, [...]

That's a good idea. But then internal e-mails need to go out to the ISP, don't they? Because, if internal e-mails get delivered locally, the vacation autoresponses on the ISP will not trigger, will they?

The trouble is, with that configuration, if the Internet link goes down, internal e-mail stops working too.

Hello R, I only wrote about the incoming side - of course, you also want to send mail to remote users, and that includes users with an address of …@myisp.com. They will go to the ISP and be fetched to local from there.

And if internet's down, e-mail will stop working anyways, so why bother? Even facebook/whatsupp will stop working then!

With some tinkering, you can configure your local relay smtp to deliver those locally, but if your people do not talk about their vacancies over the water cooler, then they will miss that reminder then.

I was hoping that there would be a complete mail server setup guide somewhere for this kind of setup. But I guess I'll have to piece all these information snippets together.

Sorry, the world is too big :)

-- peter

Am 26.10.20 um 11:24 schrieb R. Diez:

...

Hello R, I only wrote about the incoming side - of course, you also want to send mail to remote users, and that includes users with an address of …@myisp.com. They will go to the ISP and be fetched to local from there.

That is not what I had in mind. My users will not go to the ISP and fetch their e-mails from there. They will always go to my internal mail server. If a user is on the road, he/she will connect with OpenVPN first.

Probably I could have said that better: fetchmail will fetch those mails from the ISP, same as any other mails to someone@your.site - the Inbox at your ISPs will always be empty, your users will only interact with the dovecot instance on premise. There is some inefficiency, the price for a simpler setup.

I have seen Microsoft Exchange setups that carried on working locally if the Internet connection was down. If Microsoft can do that, I want to have it too. 8-)

...

With some tinkering, you can configure your local relay smtp to deliver those locally,

To be more clear - if you have a local smtpd too (not just dovecot and fetchmail, postfix perhaps), that sits between your users MUA and your ISPs smtpd, you can make it recognise someone@your.site as a "local" account and have those mails delivered locally. You have to set up some mappings though, that replicate the ones in your fetchmailrc.

Start of a HOWTO:

1. Install dovecot, create virtual accounts for all of your users
2. Install fetchmail, make it pull the ISPs IMAP and deliver locally
3. Install postfix as a smart relay and deliver locally to locals

Feel free to fill in the details ;)

-- peter

no spam/virus filtering ? Virtual suicide these days :P

On Monday, 26/10/2020 at 16:13 R. Diez wrote:

Start of a HOWTO:

1. Install dovecot, create virtual accounts for all of your users
2. Install fetchmail, make it pull the ISPs IMAP and deliver locally
3. Install postfix as a smart relay and deliver locally to locals

Feel free to fill in the details ;)

And I thought you guys had nothing else to do, sitting here on the mailing list and pretending to have some mail server skills... So, yes, it does look like I'll have to be the one filling in all the details!  8-)

Regards, rdiez

I have used this person's blog for a few operating systems.

https://blog.andreev.it/?p=1975

Poke around for the correct OS. I only set up dovecot and postfix. Keep it simple. You then need opendkim. I think opendkim checks the incoming mail. There is another procedure to sign your mail.

When you think it works, use https://dkimvalidator.com/

Also go to mxtools to verify you haven't created an open relay.

Regarding LetsEncrypt, I use the bash script. https://github.com/acmesh-official/acme.sh This saves you Python headaches.

  Original Message  

From: michael.schumacher@pamas.de Sent: October 26, 2020 1:09 AM To: rdiezmail-2006@yahoo.de; pch@myzel.net Cc: dovecot@dovecot.org Subject: Re: Looking for a guide to collect all e-mail from the ISP mail server

Hello R.,

Sunday, October 25, 2020, 11:12:48 PM, you wrote:

RD> I was hoping that there would be a complete mail server setup RD> guide somewhere for this kind of setup. But I guess I'll have to piece all these RD> information snippets together.

There are plenty of guides available. I don't know your mother tongue, but seeing your last name, I assume you may be speaking German. Take a look at these German language guides:

https://www.it-management-kirchberger.at/manuals-tutorials/server-centos-7/p... https://www.dokuwiki.tachtler.net/doku.php https://dokuwiki.nausch.org/doku.php/centos:mail_c7:spam_6

I am sure others can provide other language guides as well.

best regards

Michael Schumacher

[...]

I could not find anything there related to multidrop or "catch all" mailboxes. [...] Nothing like that there either. [...] This is a huge document with little introduction. It seems to be mostly about fighting spam. I did not find anything like the setup I described.

looks like the collective wisdom of this group can't provide precisely what you are looking for. You may need to figure it out by yourself.

Btw., why is an open port 25 evil if the MTA is configured correctly? Can you elaborate, please?

best regards

Michael Schumacher

On 26.10.20 17:45, Mihai Badici wrote:

So I guess it is not trivial to sort again all the mails and deliver each one in a mailbox after you mixed all together in a single catchall mailbox. Could be done for sure but it is some work to do... 

Determining the intended recipient of a specific *copy* of an e-mail (info contained in the envelope) from that copy *after* "final" delivery (at the ISP, no more envelope, info *possibly* contained in pseudo headers of varying name and reliability) is *most definitely* nontrivial, and (used to be?) known as a prime cause of mail loops.

If you don't know *exactly* what you're doing, maintain your myriad of users/mailboxes *both* at the ISP and on your internal servers and put the "mails in ISP mailbox X *all* go into internal mailbox Y, and nowhere else!" relations "hardcoded" into your retrieval tool's config.

Regards,

Jochen Bern Systemingenieur

Binect GmbH

Btw., why is an open port 25 evil if the MTA is configured correctly? Can you elaborate, please?

He does not know, that is why he assumes this. He first needs to aquire some basic principles and learn, as he wrote.

You need SPF and DKIM for your outgoing email to be accepted. [...]

I don't understand why that is the case (but keep in mind that I am a newbie).

Is it not possible to set up some internal SMTP server that only relies the e-mails to the external ISP SMTP server? The internal SMTP server would then act like a normal user's Thunderbird.

At first I tought that the internal SMTP server would need to know the password for each mailbox user. But then I asked, and the ISP SMTP server allegedly accepts any source e-mail address, as long as you are using one e-mail account that is valid in the domain. I wonder if that is standard practice.

My idea of a secure email server is to use submission port 587. Expose port 25 to the world and aggressively filter all remaining email ports with a firewall. And I mean aggressive. Geographically filter so only countries where youe users reside can send and retrieve email. Block major hosting IP space.

Geo blocking can be problematic. Depending on the small business, some customers and suppliers may sit in China or some other geographical area you would normally block.

I am too afraid, I would not expose any such port on the Internet. Who knows if the mail server stays months without an update. If I am to recommend or implement any such mail server solution to a small business, I would insist that the e-mail server is not exposed at all on the Internet.

A web interface etc. is not a problem: I just connect with a VPN and bypass most external security issues. If you are the admin, you can also forward the web interface over an SSH connection.

Best regards, rdiez

...

"Never use a browser for email."

I don't agree. In fact, using a browser for email or atleast initial setup, is actually more secure. This because SMTP/IMAP clients normally don't support 2FA, so you would have to "hack" a solution to enable 2FA for email.

This can be made in 2 ways: Either, you have a full fledged email setup. Whats important, is, to prevent auth-bypass holes, you remove the authentication in RoundCube or whatever webmail you use, and instead use a reverse-proxy or firewall authentication instead. Thus an unauthenticated user doesn't even touch RoundCube/webmail at all, but must authenticate at a prior stage.

The second way, is to not have webmail at all, but instead have a authentication gateway in browser, where you must auth with 2FA and captcha. The only purpose of this gateway, is to authenticate users with 2FA before their IP is whitelisted.

After this, you simply have a script, that upon valid login (with 2FA) in either webmail or auth gateway, you set the authorized IP of the user to this. Whats happen then, is that each account will have an authorized IP attached (you could limit it to the /24 to cater for mobile clients), and then login to that account, will only be accepted from that authorized IP.

This then allows SMTP/IMAP usage from that IP. If you want to go even more secure, you could restrict the firewall to the list of all IPs that all users have dynamically, and then in the SMTP/IMAP server, lock down auth to the authorized IP of that particular user account only.

Its very important, that upon authing with a incorrect IP, that the server responds in the same way as a invalid password was specified, in this way, if someone attempts to bruteforce the password, they will "miss" the correct password, if the server does not react differently to a correct password but invalid IP. Thus bots that bruteforce will not gain any success.

All this can be combined with permanent whitelists and geoIP whitelists, to avoid users having to authenticate with 2FA for "trusted" locations. One example would be to have the local office as permanent whitelist, and also have it that any IP in the user's "home country" is permanently whitelisted for his account once the user authenticates with 2FA.

Other IPs outside his home country, is then only whitelisted once, next 2FA login, the old whitelist is simply deleted.

Amen to that!

-----Original Message----- From: lists [mailto:lists@lazygranch.com] Sent: Monday, October 26, 2020 7:09 AM To: Dovecot Mailing List Subject: Re: SV: Looking for a guide to collect all e-mail from the ISP mail server

Good luck with all that coding. I have four years now of running my own email server. Zero hacks. I keep the attack surface to a minimum. Less is more.

One thing you don't want to do is write your own code. This stuff is always way harder than you think. Worse yet you run alpha generation code because you are the only one using it. All software has bugs. What you need is a mass of users flogging the code and finding the bugs.

Now if you do use a browser, you have to deal with leaks, bugs, possible process interaction if more than one tab is open, and possibly browser extensions hacks if extensions are used.

Count me out.

And did you miss the part where I was hacked via RoundCube?

1: I meant like this:

Without whitelisting, you can't login to SMTP or IMAP, password isn't valid at all.

To enable SMTP and IMAP, you then either surf ro webmail, or the 2FA gateway, and login with: Username + password + 2FA code + captcha.

When all is valid, then your IP is whitelisted for SMTP and IMAP access. This still means you have to use usename/password for SMTP/IMAP.

So how would this be a security hole? Instead of using only username+password for SMTP/IMAP? The whitelisting procedure ADDS to the security. The baseline security with username+password is already there, but now you ALSO need a whitelisted IP to even get a chance to authenticate.

Kind of stupid that there doesn't exist some common standard for 2FA that works in email clients. Some clients do support TLS client certificates, and some clients do support certain "extensions" for 2FA auth. But only common supported in all clients is password auth without 2FA, which is pretty insecure.

Outlook have solved 2FA auth with a webview that uses OAUTH to create a authentication token, for use with SMTP/IMAP using some proprietary extension with gmail and hotmail. But that webview is not something you can trigger from a third party service.

Captcha is there to prevent bruteforcing. If a valid captcha is submitted along with a 2FA code, you could lock out the account for 1 minute for each invalid attempt. If a invalid captcha is submitted, you ignore the request completely. This then prevents a attacker from flooding the server with invalid auth requests for the sole purpose of keeping a user locked out. (Account Lockout DDoS attack)

I had problems with my mail password getting hacked all the time. The instant I added IP whitelist to my system and blocked all non-approved IPs from authenticating at all (so you must have username + password + correct IP to gain access) - then all hacking of my passwords have stopped. IP lockout was the solution to my problems.

2: The idea with the reverse-proxy gateway, is only to prevent auth-bypass or non-authenticated security holes. If you have a web service that has a suspected vulnerability that could be used without authenticating, or could be used to bypass authentication, then you put a reverse proxy in front. The reverse proxy does the authentication, and only forwards requests belongning to authenticated users. Even if the webservice behind, has a auth-bypass hole, it cannot be exploited, as the reverse proxy is behind the service, and non-authenticated users cannot even touch the webservice at all.

-----Ursprungligt meddelande----- Från: dovecot-bounces@dovecot.org dovecot-bounces@dovecot.org För @lbutlr Skickat: den 27 oktober 2020 15:57 Till: dovecot mailing list dovecot@dovecot.org Ämne: Re: Looking for a guide to collect all e-mail from the ISP mail server

The second way, is to not have webmail at all, but instead have a authentication gateway in browser, where you must auth with 2FA and captcha. The only purpose of this gateway, is to authenticate users with 2FA before

On 25 Oct 2020, at 22:47, Sebastian Nielsen sebastian@sebbe.eu wrote: their IP is whitelisted.

I mostly agree with the sentiments in your email, but whitelsiting IP addresses is a HORRIBLE idea and a massive gaping security hole and using a captcha is only slightly less horrible and user-hostile. If you are using 2FA there is absolutely no reason to use a captcha.

A 2FA gateway that reverse proxies the webmail is quite good, but enforcing good passwords and using TLS is good enough for nearly all use cases.

(I recently upped the minimum password length from 12 characters)

-- Ah we're lonely, we're romantic / and the cider's laced with acid / and the Holy Spirit's crying, Where's the beef? / And the moon is swimming naked / and the summer night is fragrant / with a mighty expectation of relief

I would have to also hack the email client since I don't enter my 20 character high entropy password when I send or retrieve email.

You really need an email standard to integrate TOTP. To be realistic, you need Gmail to use it. Whatever Gmail wants is essentially a defacto standard. I live in the real world, so whatever Google wants, I comply.

  Original Message  

From: jtam.home@gmail.com Sent: October 27, 2020 3:57 PM To: dovecot@dovecot.org Subject: Re: SV: Looking for a guide to collect all e-mail from the ISP mail server

On Tue, 27 Oct 2020, Sebastian Nielsen wrote:

Kind of stupid that there doesn't exist some common standard for 2FA that works in email clients.

You can bodge it for HOTP/TOTP hardware token generators.  Dovecot allows custom plugins to check passwords.  The plugin can take passwords of the form {password}+{2fa-token}, then split each part to check against authentication systems to check validity.

Joseph Tam jtam.home@gmail.com

And which email clients can do this?

A defacto standard needs to be adopted. If I don't provide SPF or DKIM, I am likely to be deemed spammy, hence a defacto standard has been established. I don't see this with TOTP.

I'm all for TOTP, but I'm not going to code my own.

  Original Message  	

From: sebastian@sebbe.eu Sent: October 27, 2020 5:56 PM To: dovecot@dovecot.org Reply-to: dovecot@dovecot.org Subject: SV: SV: Looking for a guide to collect all e-mail from the ISP mail server

...

Whatever Gmail wants is essentially a defacto standard.

Gmail have solved it with a Oauth authorization scheme. Basically, first time setting up mail, you are asked to authenticate by 2FA in a webview, then a shared secret is established, that is used during SMTP and IMAP time. Both Hotmail and Gmail is using this hackish webview solution for Outlook integration (and integration in some other email clients).

Thats why Google and Microsoft have their own buttons inside Outlook and some other mail clients.

You look spammy if you don't have SPF or DKIM, and hopefully both. [...]

I don't want to worry about spam, SPF, DNS or the lot. That is what the ISP is there for. Most of them actually do a pretty good job for very little money in my experience. If not, you can always switch to another ISP.

Regarding geofencing, look back at my post. [...]

Geofencing is way too complicated. You would need a real e-mail consultant for that. 8-)

It is far easier to install OpenVPN, in order to avoid exposing anything else internal on the Internet. Then it is like the user is inside the LAN. There is nothing else to adjust in the mail server or anywhere else.

The reason I run my own email server is I got hacked when using a hosting service. [...]

I can understand that you got hacked. A nasty experience. But, if you think about it, your ISP got hacked, not you. If you open ports, your server may get hacked. And then the hacker is inside your network.

Hack attacks like yours is probably the reason why the European Union is forcing nowadays a kind of two-factor authentication for banks, PayPal etc.

The hacker did not change the e-mail password so that you do not realise immediately that you got hacked, and maybe immediately cancel your credit cards etc.

There is no way most part-time admins like me can provide better security than an ISP. Even paying for a more professional service is probably not worth it. It's an economic weighing exercise: how many get hacked, and what protection costs. I would start by securing PayPal etc. better, by using two-factor authentication like SMS or a separate mobile App to approve payments.

One thing you will learn about email servers is there are many programs to chain together. [...]

That is why I wanted the ISP to take over spam and virus detection. Most do a reasonable job, better than I could ever do anyway.

Best regards, rdiez

...

why not just point them at a hosting service like google apps, and let google keep things up to date?

Costs money, and also the problem is that gmail imposes heavy spam filters and "reputation blocks" meaning smaller providers with low email volumes, are put in the spam folder, even if they never send spam, just because their email volume is so low (ergo, they must prove they don't spam before getting out of ispam folder)

Another thing is that you cannot impose IP restrictions when using Google Apps, or have SSO with trusted access from inside the office. (for example - scan your badge at the office door, your personal computer is automatically logged on and you get access to everything).

With locally hosted servers, of course you have to keep them updated. Most linux distributions can keep them updated automatically.

and also the problem is that gmail imposes heavy spam filters and "reputation blocks" meaning smaller providers with low email volumes, are put in the spam folder, even if they never send spam, just because their email volume is so low (ergo, they must prove they don't spam before getting out of ispam folder)

How do you know that?

Citeren Sebastian Nielsen sebastian@sebbe.eu:

Because when I email to friends that are using gmail, my mail ends up in spam unless my friends put me in whitelist. Seems to vary however, and seems to get better with time.

In order to prevent ending up in spam in GMail, it is necessary to
have working DKIM and/or SPF for your messages and forward- and
reverse DNS records for your mailserver match.

email does not get silently dropped or moved to spam when working with gmail.

Gmail is dropping email on purpose?

On 26. Oct 2020, at 11.36, lists lists@lazygranch.com wrote:

Actually the reverse pointer doesn't have to match. In fact this is impossible if you are setting up virtual accounts on one server for different domains. You just need to have a reverse pointer.

Most email servers look to seen if the reverse pointer has a "dyn" in it and blocks those.

Also your own email server is not behaving nicely:

mailto:lists@lazygranch.com>: host lazygranch.com http://lazygranch.com/[198.199.119.111] said: 500 5.7.1 <83-136-254-93.uk http://83-136-254-93.uk/-lon1.upcloud.host[83.136.254.93]>: Client host rejected: eat a bag of dicks (in reply to RCPT TO command)

and for that reason I have blacklisted you from any help requests. You may do the same whatever you are telling me to do.

Sami

I assure you each IP address has only one reverse pointer at Digital Ocean. I know this because I set up the reverse pointer myself.

  Original Message  	

From: M.Roos@f1-outsourcing.eu Sent: October 26, 2020 4:41 AM To: lists@lazygranch.com; sami@ketola.io Cc: build+dovecot@de-korte.org; dovecot@dovecot.org Subject: RE: Looking for a guide to collect all e-mail from the ISP mail server

you should ask your ip provider to set a proper reverse lookup for you. If I would get a lot of spam from upcloud.host ips, I would also consider blocking upcloud.host reverse dns lookups. If it is your ip, it is an easy request to have it changed.

-----Original Message----- From: Sami Ketola [mailto:sami@ketola.io] Sent: Monday, October 26, 2020 11:22 AM To: lists Cc: Arjen de Korte; Dovecot Mailing List Subject: Re: Looking for a guide to collect all e-mail from the ISP mail server

On 26. Oct 2020, at 11.36, lists lists@lazygranch.com wrote:

Actually the reverse pointer doesn't have to match. In fact this is impossible if you are setting up virtual accounts on one server for different domains. You just need to have a reverse pointer.

Most email servers look to seen if the reverse pointer has a "dyn" in it and blocks those.

Also your own email server is not behaving nicely:

lists@lazygranch.com: host lazygranch.com[198.199.119.111] said: 500 5.7.1 <83-136-254-93.uk-lon1.upcloud.host[83.136.254.93]>: Client host rejected: eat a bag of dicks (in reply to RCPT TO command)

and for that reason I have blacklisted you from any help requests. You may do the same whatever you are telling me to do.

Sami

and forward- and reverse DNS records for your mailserver match.

do even googles ips confirm to this standard?

I know. I am not stating this.

-----Original Message----- From: lists [mailto:lists@lazygranch.com] Sent: Monday, October 26, 2020 3:17 PM To: dovecot Subject: Re: SV: SV: Looking for a guide to collect all e-mail from the ISP mail server

As I previously stated the reverse pointer does not have to match your domain.

Suppose you ran a hosting company called host.com. Suppose you had clients client1.com and client2.com. This requires virtual mailboxes. That is one domain, host.com provides email services for client1.com and client2.com. Most servers would just have a reverse pointer to host.com.

  Original Message  	

From: M.Roos@f1-outsourcing.eu Sent: October 26, 2020 7:04 AM To: build+dovecot@de-korte.org; dovecot@dovecot.org Subject: RE: SV: SV: Looking for a guide to collect all e-mail from the ISP mail server

and forward- and reverse DNS records for your mailserver match.

do even googles ips confirm to this standard?

I have no problems with Gmail from Digital Ocean. But I have both spf, DKIM, DMARC and a reverse pointer. You need to not look spammy.

One advantage to using a VPS is your IP is unique. That is you don't share it with a spammer. Not so with hosted services.

  Original Message  	

From: M.Roos@f1-outsourcing.eu Sent: October 26, 2020 1:06 AM To: dovecot@dovecot.org; sebastian@sebbe.eu Subject: RE: SV: Looking for a guide to collect all e-mail from the ISP mail server

and also the problem is that gmail imposes heavy spam filters and "reputation blocks" meaning smaller providers with low email volumes, are put in the spam folder, even if they never send spam, just because their email volume is so low (ergo, they must prove they don't spam before getting out of ispam folder)

How do you know that?

On 25 Oct 2020, at 22:51, Sebastian Nielsen sebastian@sebbe.eu wrote:

...

...

why not just point them at a hosting service like google apps, and let google keep things up to date?

Costs money,

Yes. That is a *good* thing. Running an unmaintained mail server is a BAD thing.

and also the problem is that gmail imposes heavy spam filters and "reputation blocks" meaning smaller providers with low email volumes,

I think you are confusing gmail and google apps (or whatever it is called now, seems to change all the time).

Another thing is that you cannot impose IP restrictions when using Google Apps, or have SSO with trusted access from inside the office. (for example - scan your badge at the office door, your personal computer is automatically logged on and you get access to everything).

Wow. That sounds sooooooper not secure.

With locally hosted servers, of course you have to keep them updated. Most linux distributions can keep them updated automatically.

You cannot keep a mail server automatically updated, sorry. That is a fantasy.

You can either spend money on someone know knows what they are doing in-house (more secure, more control, more money), or you can spend money on outsourcing someone who knows what they are doing (less money). The other option involves a pair of smoking boots and a crater and I do not recommend it.

-- Nothing like grilling a kosher dog over human hair to bring out the subtle flavors.

Why don't you configure all stuff internally and ask your provider to relay the e-mails from and to you via "smart relay"?  You will communicate only via smtp and only with your provider, and you can use a nice open-source bundle ( dovecot is mandatory because you wrote on that list :) ) in your LAN.

  Original Message

From: rdiezmail-2006@yahoo.de Sent: October 25, 2020 10:57 AM To: dovecot@dovecot.org Subject: Looking for a guide to collect all e-mail from the ISP mail server

Hi all:

I am evaluating mail server solutions for a small business. The trouble is, I am only a part-time admin and a newbie to mail servers.

Most guides I have seen are rather unrealistic: they encourage you to expose your e-mail server to the Internet, and hope that you have the resources to keep it patched up.

I would rather have an internal mail server that collects e-mails from a standard ISP mail server.  It is like the old "POP3 Connector" that came with Microsoft Exchange.  Sometimes, there is a mailbox per user on the ISP, and a corresponding one on the local server.  Other times, there is a single "catch all" or "multidrop" mailbox on the ISP.

Users can still access their internal mailboxes from outside through an OpenVPN connection.  The goal is that only VPN, and perhaps SSH, are accessible from the outside.  We do not need to arrange any special SMTP configuration with the ISP either.

This kind of mail server setup is rather different to the standard configuration. You do not normally need you own antivirus and spam filter, and you do not need to configure SSL certificates, MX or SPF DNS records. Most ISP handle that correctly and economically.  Internal e-mail does not leave your LAN, and your internal SMTP server is just a relay for the external ISP SMTP server.

Furthermore, most guides do not explain how to setup an autoresponder ("I am on holiday until xxx") so that users can enable theirs with the mouse. Editing configuration files over SSH is not really an option for normal users. This detail is important because it could be the only thing I need above standard e-mail. Further groupware features can be seen as nice but ultimately unnecessary luxury, and a basic shared calendar can be accomplished with a separate server like https://radicale.org/ and a calendar client like one built into Thunderbird. Hopefully, that is all I would need for a small business.

Can anyone point me to the kind of guide I need? Failing that, I would need information or examples about using fetchmail, getmail or similar software with Dovecot.  Good or bad experiences from you guys would also help.

Each of those tools has a detailed man page, but there are many options and ways with different advantages and disadvantages.  I would need a simpler guide to get started.

I am aware that there are pre-packaged mail server solutions that would perhaps bring an easy-to-use autoresponder, but I haven't seen one yet that where you could tick a box like "this server is only internal and collects mail from the ISP server" during installation. Nor have I seen instructions about reconfiguring the mail server for my ISP mail scenario.

I am prepared to learn more and write my own Perl scripts and/or installation guide, but it would be stupid to waste time if something easy already exists.  After all, the setup I am describing (external ISP mail server + internal mail server) is not so weird.

Thanks in advance, rdiez

Besides, the way you suggest means opening a SMTP port to the outside world. A security risk and more work at the firewall etc.

You can just allow some ip addresses of your provider to connect, not? Nothing outside world.

Yes, you all want me to open ports. I'm sorry guys, but I won't budge:

1. Opening a port means reconfiguring the firewall. You may find it funny, but some non-profits have no firewall, just a standard ADSL router. The ones that the telecom company provides often has no IP filtering abilities.

Read your router manual, you can easily only port forward from a single or multiple ips to your local

2. I will not expose an SMTP server to the outside word. I will not install in, or advise to, a small business a piece of software that craves for attention

The problem is your knowledge is limited, and therefore draw incorrect conclusions. So maybe try and find someone that has more knowledge in your group, or ask around in your charity.

3. Of course I can ask the current ISP. And they may comply. But how about the next one?

What next one? You should stick with your ISP for years, I have.

4. Of course I can filter my provider's IP in some Linux firewall. But then the provider will change its setup and won't tell me. Or I will not have time to modify the configuration. Or the next person will not have time just this week.

These things do not change. I did not change my mail ip's the last 10 years or so. I guess only 'hillbillies' that hop around from supplier to supplier to cut a few dollars a month do this.

On 10/26/20 4:16 PM, R. Diez wrote:

...

Why don't you configure all stuff internally and ask your provider to relay the e-mails from and to you via "smart relay"?  You will communicate only via smtp and only with your provider, [...]

When you are a small business or a volunteer-run club or charity, you don't ask your provider. You have no leverage. You may not even be able to change provider so easily.

Besides, the way you suggest means opening a SMTP port to the outside world. A security risk and more work at the firewall etc.

From what I gathered to date, there should be nothing wrong with collecting e-mails from a catch-all/multidrop POP3/IMAP4 mailbox, so I will carry on pursuing this method.

Regards, rdiez

You will open the smtp port only to your provider.  The provider will receive mails for your domain and will send your mails for outside world. He can relay  them to you on an arbitrary port you can open only for that server.  You may have right you can't ask him this kind of setup but if they already run an e-mail server ( and most of them actually do that) it is not such a big effort to add two lines in their server config, it cost nothing to  ask :) That will allow you to run a complete mail suite almost as in the "real world".

...

I too would strongly advise you to use Google Workspace (the recent new name for G Suite, previously known as Google Apps). It's cheap, very reliable, and has all features you can dream of, including an autoresponder. It's unrealistic to think that it's possible to beat a service that costs a mere USD 6 / user / month (and is free for nonprofits!).

I would not advice any company that is continuously being fined for breaking the law.

This is not only an overstatement, it is completely irrelevant. Given the OP problem statement (small business, part-time admin, newbie to mail servers), I do not think there is a better solution. A small server already costs 20 USD / month, running a mail server consumes a significant amount of resources, and as the OP mentions running a mail server also represents a high security risk.

First of all, I want to learn how to do it, just for fun.

Okay, that was not what you initially said. Some comments below, nonetheless.

I will not recommend Google. Ever heard of data protection and data confidentiality?

Your data is stored confidentially by Google, obviously. Otherwise nobody would use their services.

And then you are completely dependent. Your are nothing for a huge company like Google. If they lose your complete e-mail database, they will tell you that they are awfully sorry. If at all.

The likelihood that Google loses your email is far less than the likelihood that your server has a disk failure, gets hacked and rm -rf'd, is stolen, burns in a fire, and so forth.

And no, running a mail server does not "consume a significant amount of resources". Any 10-year-old laptop can easily cater for a small business.

I meant human resources, obviously.

Besides, paying $6/user/month is actually very expensive for some small organisations. If you have 20 volunteers coming to the help in a small public library once a month, that would be $1440 a year just for e-mail services.

I'll say it again: Google is _free_ for nonprofits. Free: $0/user/month, for as many users as you want.

I hate to have to use this cliché "if you believe that I have a great one owner bridge for sale". There is no positively secure store for any purpose that has even a remote possibility of being connected to the internet. As can be seen to secure data = no connection to internet, save money keep my private data on a random server who knows where = insecure data.

Steve hanselman

-----Original Message----- From: dovecot dovecot-bounces@dovecot.org On Behalf Of Dave McGuire Sent: Monday, October 26, 2020 8:30 AM To: dovecot@dovecot.org Subject: Re: Looking for a guide to collect all e-mail from the ISP mail server

On 10/26/20 11:24 AM, Gregory Heytings wrote:

Your data is stored confidentially by Google, obviously. Otherwise nobody would use their services.

My keyboard is now COMPLETELY saturated with coffee. Some hit my display this time, too.

          -Dave

-- Dave McGuire, AK4HZ New Kensington, PA

2. install and configure OfflineIMAP to synchronize the IMAP folders between your ISP IMAP server and your Dovecot server; see for example http://www.offlineimap.org/doc/quick_start.html

OfflineIMAP is not the way to go. Many ISPs have very low size limits for the mailbox sizes. The one I am looking at right now does have this problem (unless you pay extra).

From what I have gathered now, your hints about Postfix and fetchmail are correct. The trouble is that those doc pages are not real-life, complete examples with Dovecot of the two possible ways: 1) multidrop/catch all, and 2) one mailbox per user.

Yes, I should be able to piece it all together. I will probably try. I just find it surprising that there is no such a complete guide yet. Because I am sure that there are a few gotchas along the way.

see https://blog.sys4.de/abholdienst-fur-mail-de.html

Yes, getmail is an alternative, and that looks like a good way too. But it's the same problem: the article is not complete. It states "how you could arrange it". It would be nice that you did not have to manually write a getmail config file per user. And an example for multidrop is missing. There is a note at the end that you should carefully plan the transport ways, but I wouldn't know yet what to do in that respect.

It's just not a guide that I can follow from top to bottom to get a first working mail server to play with. That makes it pretty hard for me at this time. I will need much more time to learn and test every little detail myself. I'm not promising anything, but I may actually invest the time if I don't find anything else more interesting in the meantime. 8-)

In any case, thanks for the hints. I know now what the way to go is. Those pesky port 25 people are not going to get me! ;-)

Regards, rdiez

On 26 Oct 2020, at 09:11, R. Diez rdiezmail-2006@yahoo.de wrote:

...

...

I would not advice any company that is continuously being fined for breaking the law.

...

This is not only an overstatement, it is completely irrelevant. Given the OP problem statement (small business, part-time admin, newbie to mail servers), I do not think there is a better solution A small server already costs 20 USD / month, running a mail server consumes a significant amount of resources, and as the OP mentions running a mail server also represents a high security risk.

Guys, this kind of advice is not helping me either.

First of all, I want to learn how to do it, just for fun. Even if paying for a hosted solution is an economically better solution. It's not for me to decide anyway.

If you want to do it for fun and learning, setup a private mail server for yourself and maybe some friends. You do not have "fun" with a company's emails, not even a non-profit. ESPECAILLY since you have rather sepcific legal restrictions and requirements on that email.

Doing it yourself is possible IF you already know what you are doing very well. Doing this yourself as a "fun learning experiment" is irresponsible.

I will not recommend Google. Ever heard of data protection and data confidentiality? And then you are completely dependent. Your are nothing for a huge company like Google. If they lose your complete e-mail database, they will tell you that they are awfully sorry. If at all.

You are still confusing two very different things, the paid Google hosting service and the free gmail service. They are not the same thing. You paranoia is based on ignorance. You do not, obviously have to go with Google. There are many other choices. Hundreds. Your government may even have a list of companies that comply with German and European laws.

And no, running a mail server does not "consume a significant amount of resources". Any 10-year-old laptop can easily cater for a small business.

That depends. You need to find an 18yo laptop that can run a current OS with current security libraries, so that's a stretch right there. And while it may not consume a lot of CPU resources, it consumes a lot of human/brain resources. It takes knowledge which takes time. Your idea that you can just setup a mialserver and walk away and never look at it again is laughable.

Besides, paying $6/user/month is actually very expensive for some small organisations.

Depends on what the cost of, for example, having all your email ransomwared or published to some website costs. If your non-profit gets funding, your country and the EU have very strict laws on the security of email and the requirement to keep it archived and to ensure the data cannot get out. You may be facing serious fines or even jail time if you setup an mail server badly that results (as it almost surely will) a third party accessing that mail.

If you have 20 volunteers coming to the help in a small public library once a month, that would be $1440 a year just for e-mail services.

If you feel the need to give 20 volunteers individual, personal email addresses, sure. $1500 a year for any sort of business, even a non-profit, is not a significant cost.

Most such people would continue to use private Hotmail addresses. I would rather install a Synology NAS and use whatever e-mail service it comes with it.

You have to pay for that too.

An on-premise mail server is, and should be, virtually free,

It is not. You need someone to admin it. You need someone to be vigilant and see when things are going wrong, or when an intruder has gained access, or when your DNS has expired, or your certificates need to be renewed, or a major system update is required. You also need (well, should have) a backup server, UPS systems (check those batteries!) and a whole host of other things that need to be done.

at least for a basic e-mail service. No need for cloud. No need to expose any ports. No need to configure the firewall. No need to ask anything from your ISP.

You cannot send or receive any email if all your ports are closed. In order to communicate with anyone else, you must have the ability to connect to them.

But it sure sounds like you've made up your mind to make the worst decision and are ignoring the advice of many people who do this all day, everyday. Good luck with that.

Please check with your legal counsel first, you may be shocked as to what the EU and Germany actually require and what penalties you face when you decide to ignore those requirements. For example, are you aware that Germany requires TLS encryption on all email? And has more stringent E2EE requirements on many emails?

-- "Let's get back to syntax of procmail and forget the syntax of fools." Don

On 10/26/20 10:26 AM, Gregory Heytings wrote:

I too would strongly advise you to use Google Workspace (the recent new name for G Suite, previously known as Google Apps).  It's cheap, very reliable, and has all features you can dream of, including an autoresponder.  It's unrealistic to think that it's possible to beat a service that costs a mere USD 6 / user / month (and is free for nonprofits!).

You're advocating storing confidential business or personal data on the servers of the world's largest data mining company, and one that is rapidly becoming quite evil.

It's hard to imagine anyone being that dumb, but then this society has been surprising me a lot in recent years.

        -Dave

-- Dave McGuire, AK4HZ New Kensington, PA

On 10/26/20 11:07 AM, Marc Roos wrote:

...

It's hard to imagine anyone being that dumb, but then this society has been surprising me a lot in recent years.

If I tell some woman in the store that she is about to buy an energy drink promoted by/having a picture of a convicted rapist. They look at me weird and the most stupid response I got was 'but I am not buying it for myself'.

coffee -> keyboard

-- Dave McGuire, AK4HZ New Kensington, PA

On 10/26/20 11:09 AM, Gregory Heytings wrote:

...

...

I too would strongly advise you to use Google Workspace (the recent new name for G Suite, previously known as Google Apps).  It's cheap, very reliable, and has all features you can dream of, including an autoresponder.  It's unrealistic to think that it's possible to beat a service that costs a mere USD 6 / user / month (and is free for nonprofits!).

You're advocating

I'm not advocating, I give the OP an advice, which he is (and you are) free to ignore.

And now you're splitting hairs on terminology. This suggests a particular approach to an disagreement, and is not doing you any good.

...

storing confidential business or personal data on the servers of the world's largest data mining company, and one that is rapidly becoming quite evil.

That's nonsense.  I will give one example: Airbus, the European aerospace corporation, uses Google Workspace.  If there is one single company in the world that would have every possible reason to not store their "confidential business data" on the servers of an American company, it's Airbus.  Yet they do it.

I'm sure they do. Are you now suggesting that mega-corporations only ever do things in the best or smartest way?

I can point out examples of people and corporations doing stupid things all day long. There are LOTS of examples, everywhere. This doesn't mean they're not stupid.

I'm sorry buddy, your credibility hit rock bottom in your first post, and your subsequent posts aren't helping.

Have a nice day. *plonk*

          -Dave

-- Dave McGuire, AK4HZ New Kensington, PA

That's nonsense. I will give one example: Airbus, the European aerospace corporation, uses Google Workspace.

What do they store there? That is the question, maybe some irrelevant data, I doubt if they store CAD drawings online or data that is protected by GDPR legislation. And even when, are you going to burn books, when Airbus is going to burn books?