or start self hosting today
RE: https://mas.to/@alternativeto/116170689373236412
RE: https://mas.to/@alternativeto/116170689373236412
Timeline
Post
Remote status
Replies
20
@yonle @kaia Postfix/Dovecot is the easy part, you can even cheat with things like Mailcow and the new-ish all-in-one email solutions written in Go. It's the deliverability that is annoying to maintain. Are you in a bad IP space or inherited an IP that was used by a spammer, good luck getting that reputation back in a reasonable time. Have fun getting deliveries fully working to Gmail/O365 and not get dropped into spam at seemingly random times.
@m0xEE @kaia @yonle @phnt I shill for Maddy (https://maddy.email) which I use and have for yeeeeears
@phnt @m0xEE @kaia since most traffic is hitting on port 25, i just make opensmtpd to literally reject any connections with invalid rdns and forward rdns.
it’s really effective:
Mar 03 19:10:08 waltuh.cyou smtpd[1796806]: d5373ff3bc5172bf smtp failed-command command="" result="550 5.7.1 Reverse DNS Lookup Failed."
Mar 03 19:10:08 waltuh.cyou smtpd[1796806]: d5373ff3bc5172bf smtp disconnected reason=disconnect
Mar 03 19:17:16 waltuh.cyou smtpd[1796806]: d5373ff4305b9e00 smtp connected address=80.94.95.216 host=<unknown>
Mar 03 19:17:16 waltuh.cyou smtpd[1796806]: d5373ff4305b9e00 smtp failed-command command="" result="550 5.7.1 Reverse DNS Lookup Failed."
Mar 03 19:17:16 waltuh.cyou smtpd[1796806]: d5373ff4305b9e00 smtp disconnected reason=disconnect
Mar 03 19:17:16 waltuh.cyou smtpd[1796806]: d5373ff576769952 smtp connected address=80.94.95.216 host=<unknown>
Mar 03 19:17:16 waltuh.cyou smtpd[1796806]: d5373ff576769952 smtp failed-command command="" result="550 5.7.1 Reverse DNS Lookup Failed."
Mar 03 19:17:16 waltuh.cyou smtpd[1796806]: d5373ff576769952 smtp disconnected reason=disconnect
Mar 03 19:21:05 waltuh.cyou smtpd[1796806]: d5373ff6114035bf smtp connected address=45.144.212.169 host=<unknown>
Mar 03 19:21:05 waltuh.cyou smtpd[1796806]: d5373ff6114035bf smtp failed-command command="" result="550 5.7.1 Reverse DNS Lookup Failed."
Mar 03 19:21:05 waltuh.cyou smtpd[1796806]: d5373ff6114035bf smtp disconnected reason=disconnect
Mar 03 19:22:29 waltuh.cyou smtpd[1796806]: d5373ff742640107 smtp connected address=64.89.160.82 host=<unknown>
Mar 03 19:22:29 waltuh.cyou smtpd[1796806]: d5373ff742640107 smtp failed-command command="" result="550 5.7.1 Reverse DNS Lookup Failed."
Mar 03 19:22:29 waltuh.cyou smtpd[1796806]: d5373ff742640107 smtp disconnected reason=disconnect
Mar 03 19:28:04 waltuh.cyou smtpd[1796806]: d5373ff863e52ae4 smtp connected address=91.92.240.153 host=<unknown>
Mar 03 19:28:04 waltuh.cyou smtpd[1796806]: d5373ff863e52ae4 smtp failed-command command="" result="550 5.7.1 Reverse DNS Lookup Failed."
Mar 03 19:28:04 waltuh.cyou smtpd[1796806]: d5373ff863e52ae4 smtp disconnected reason=disconnect
Mar 03 19:33:07 waltuh.cyou smtpd[1796806]: d5373ff9c18c9429 smtp connected address=143.244.152.105 host=portscanner-nyc1-02.prod.cyberresilience.io
Mar 03 19:33:07 waltuh.cyou smtpd[1796806]: d5373ff9c18c9429 smtp failed-command command="EHLO" result="501 5.5.1 Invalid command: EHLO requires domain name"
Mar 03 19:33:08 waltuh.cyou smtpd[1796806]: d5373ff9c18c9429 smtp disconnected reason="io-error: Connection reset by peer"
Mar 03 19:45:54 waltuh.cyou smtpd[1796806]: d5373ffa41f5cd25 smtp connected address=91.92.240.153 host=<unknown>
Mar 03 19:45:54 waltuh.cyou smtpd[1796806]: d5373ffa41f5cd25 smtp failed-command command="" result="550 5.7.1 Reverse DNS Lookup Failed."
Mar 03 19:45:54 waltuh.cyou smtpd[1796806]: d5373ffa41f5cd25 smtp disconnected reason=disconnect
Mar 03 20
06 waltuh.cyou smtpd[1796806]: d5373ffbef9e6af4 smtp connected address=45.144.212.169 host=<unknown>
Mar 03 2006 waltuh.cyou smtpd[1796806]: d5373ffbef9e6af4 smtp failed-command command="" result="550 5.7.1 Reverse DNS Lookup Failed."
Mar 03 2006 waltuh.cyou smtpd[1796806]: d5373ffbef9e6af4 smtp disconnected reason=disconnect
Mar 03 20:03:30 waltuh.cyou smtpd[1796806]: d5373ffcf1182cf8 smtp connected address=91.92.240.153 host=<unknown>
Mar 03 20:03:30 waltuh.cyou smtpd[1796806]: d5373ffcf1182cf8 smtp failed-command command="" result="550 5.7.1 Reverse DNS Lookup Failed."
Mar 03 20:03:31 waltuh.cyou smtpd[1796806]: d5373ffcf1182cf8 smtp disconnected reason=disconnect
Mar 03 20:16:21 waltuh.cyou smtpd[1796806]: d5373ffd4eafbef6 smtp connected address=80.94.95.216 host=<unknown>
Mar 03 20:16:21 waltuh.cyou smtpd[1796806]: d5373ffd4eafbef6 smtp failed-command command="" result="550 5.7.1 Reverse DNS Lookup Failed."
Mar 03 20:16:21 waltuh.cyou smtpd[1796806]: d5373ffd4eafbef6 smtp disconnected reason=disconnect
Mar 03 20:16:21 waltuh.cyou smtpd[1796806]: d5373ffe2dd03ccb smtp connected address=80.94.95.216 host=<unknown>
Mar 03 20:16:21 waltuh.cyou smtpd[1796806]: d5373ffe2dd03ccb smtp failed-command command="" result="550 5.7.1 Reverse DNS Lookup Failed."
Mar 03 20:16:21 waltuh.cyou smtpd[1796806]: d5373ffe2dd03ccb smtp disconnected reason=disconnect
@kaia @phnt because, here’s a snippet:
echo "Configuring Postfix's main.cf..."
# Adding additional vars to fix an issue with receiving emails (relay access denied) and adding it to mydestination.
postconf -e "myhostname = $maildomain"
postconf -e "mail_name = $domain" #This is for the smtpd_banner
postconf -e "mydomain = $domain"
postconf -e 'mydestination = $myhostname, $mydomain, mail, localhost.localdomain, localhost, localhost.$mydomain'
# Change the cert/key files to the default locations of the Let's Encrypt cert/key
postconf -e "smtpd_tls_key_file=$certdir/privkey.pem"
postconf -e "smtpd_tls_cert_file=$certdir/fullchain.pem"
if [ "$selfsigned" != "yes" ]; then
postconf -e "smtp_tls_CAfile=$certdir/cert.pem"
fi
# Enable, but do not require TLS. Requiring it with other servers would cause
# mail delivery problems and requiring it locally would cause many other
# issues.
postconf -e 'smtpd_tls_security_level = may'
postconf -e 'smtp_tls_security_level = may'
# TLS required for authentication.
postconf -e 'smtpd_tls_auth_only = yes'
# Exclude insecure and obsolete encryption protocols.
postconf -e 'smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
postconf -e 'smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
postconf -e 'smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
# Exclude suboptimal ciphers.
if [ "$allow_suboptimal_ciphers" = "no" ]; then
postconf -e 'tls_preempt_cipherlist = yes'
postconf -e 'smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL'
fi
# Here we tell Postfix to look to Dovecot for authenticating users/passwords.
# Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_type = dovecot'
postconf -e 'smtpd_sasl_path = private/auth'
# helo, sender, relay and recipient restrictions
postconf -e "smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre"
postconf -e 'smtpd_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, permit_mynetworks, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain'
postconf -e 'smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination'
postconf -e 'smtpd_helo_required = yes'
postconf -e 'smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname'
# NOTE: the trailing slash here, or for any directory name in the home_mailbox
# command, is necessary as it distinguishes a maildir (which is the actual
# directory that we want) from a spoolfile (which is what old unix boomers want
# and no one else).
postconf -e 'home_mailbox = Mail/Inbox/'
# Prevent "Received From:" header in sent emails in order to prevent leakage of public ip addresses
postconf -e "header_checks = regexp:/etc/postfix/header_checks"
# strips "Received From:" in sent emails
echo "/^Received:.*/ IGNORE
/^X-Originating-IP:/ IGNORE" >> /etc/postfix/header_checks
# Create a login map file that ensures that if a sender wants to send a mail from a user at our local
# domain, they must be authenticated as that user
echo "/^(.*)@$(sh -c "echo $domain | sed 's/\./\\\./'")$/ \${1}" > /etc/postfix/login_maps.pcre
# master.cf
echo "Configuring Postfix's master.cf..."
sed -i '/^\s*-o/d;/^\s*submission/d;/^\s*smtp/d' /etc/postfix/master.cf
echo "smtp unix - - n - - smtp
smtp inet n - y - - smtpd
-o content_filter=spamassassin
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_auth_only=yes
-o smtpd_enforce_tls=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o smtpd_sender_login_maps=pcre:/etc/postfix/login_maps.pcre
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
spamassassin unix - n n - - pipe
user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f \${sender} \${recipient}" >> /etc/postfix/master.cf
@mint @kaia @yonle I run two mailservers, I'm in no way against hosting your own email, but just like with GNU/Bootlickers pushing unusable and broken software/hardware to unsuspecting people calling it how amazing and fully working it is, the people that push self-hosting your own mail server should also take a step back and think to whom to they recommend it and how they talk about the reality of hosting it. It is not all sunshine and roses.