{"id":226,"date":"2016-05-28T07:20:06","date_gmt":"2016-05-27T19:20:06","guid":{"rendered":"https:\/\/micro.muppetz.com\/blog\/?p=226"},"modified":"2018-11-21T10:03:41","modified_gmt":"2018-11-20T21:03:41","slug":"running-your-own-mailservers","status":"publish","type":"post","link":"https:\/\/micro.muppetz.com\/blog\/2016\/05\/28\/running-your-own-mailservers\/","title":{"rendered":"Running Your Own Mailserver(s)"},"content":{"rendered":"

This post is now out of date! Running your own mailserver is\u00a0even easier<\/em> these days thanks to rspamd<\/a>. You literally plug rspamd into your mailserver using a milter, it’s a single line in postfix, and rspamd rolls up everything below in the smtpd_recipient_restrictions section and then some more, plus it’s got a nice webGUI.\u00a0 <\/strong><\/p>\n

Rspamd: Zero spam, Rapid delivery.<\/strong><\/p>\n

Running your own mailserver isn’t that hard. \u00a0I always have a chuckle\u00a0when I read people say “Why would you do it yourself, there’s so much management?” \u00a0That’s crap, they just don’t know how to do it.<\/p>\n

A mailserver basically runs itself, there’s plenty of online tools to verify that you’re not an open relay, that you’ve configured your TLS settings correctly etc. \u00a0Plenty of configuration guides (another is included below) to show you how to lock it down so that it’s not a spam wind-up-and-go machine.<\/p>\n

I run 3 mailservers (1 primary, 2 backup). \u00a0They all talk a single Greylisting Daemon, set to allow mail through after 1 minute. \u00a0Should the greylisting daemon not be available, the servers are set to accept the mail.<\/p>\n

Before greylisting takes place however, the mail gets a bunch of checks. \u00a0First of all, High Quality DNS Whitelists are checked, if a server is listed in here it can be Trusted to not be sending Spam. \u00a0Then Blacklists are checked. \u00a0Then remaining whitelists are checked, if a server is listed it is allowed to bypass Greylisting. NOTE: Don’t use SORBS! Their data is out of date and crap. Way too many false positives. Avoid at all costs. I made this mistake once.<\/p>\n

Here’s the full logic that all my mail servers use. \u00a0You have to ensure you share the greylisting database correctly, otherwise you’ll end up delaying mail much longer than necessary.<\/p>\n

    \n
  1. REJECT\u00a0<\/strong>anyone who doesn’t say HELO<\/li>\n
  2. REJECT\u00a0<\/strong>invalid Hostnames in HELO<\/li>\n
  3. REJECT\u00a0<\/strong>senders not\u00a0using <user@domain.domain> correctly as per RFC821.<\/li>\n
  4. REJECT\u00a0<\/strong>Unknown Recipients<\/li>\n
  5. ALLOW<\/strong> from a list of Known IPs (Backup MX hosts, other trusted devices)<\/li>\n
  6. ALLOW<\/strong> from Authenticated Senders (To send mail from anywhere, using username\/password)<\/li>\n
  7. ALLOW<\/strong> from a set of DNS Whitelists\u00a0that state an entry in their list can be considered “Non-Spam”<\/li>\n
  8. REJECT<\/strong> from a list of DNS Blacklists<\/li>\n
  9. ALLOW\u00a0<\/strong>from a second set of DNS Whitelists that are verified to be SMTP servers (skips the need to greylist)<\/li>\n
  10. Send to Greylisting Daemon to ACCEPT\/DELAY<\/strong><\/li>\n
  11. ACCEPT<\/strong><\/li>\n<\/ol>\n

    Step 7 could be amalgamated with step 9, but I prefer to\u00a0“trust” the lists of known, trusted \u00a0email senders before checking blacklists, as sometimes blacklists can be a bit “over zealous” in their flagging a server a spam, i.e. one that sends newsletters etc. \u00a0This way I get check of this logic:<\/p>\n

      \n
    1. Verified quality sender –\u00a0ACCEPT.<\/li>\n
    2. Check for blacklists – DENY.<\/li>\n
    3. Verified RFC compliant SMTP server, skip greylisting (because we know it’ll just retry anyway, no point delaying) – ACCEPT.<\/li>\n
    4. Send to Greylisting for DELAY\/ACCEPT decision.<\/li>\n<\/ol>\n

      With these rules in place, I get almost zero spam making it through, probably 2-3 spams per week. \u00a0However the amount of mail that is rejected via the Blacklists and the Greylisting is amazing, in the thousands per day.<\/p>\n

      Once I’ve finally accepted a mail, I send it to Spamassassin for checking, just to be sure.<\/p>\n

      The other thing that’s important that I’ve done fairly recently (in the last couple of years) is to ensure that Postfix is setup correctly to send and receive mail using encryption. SSLv2 and SSLv3 are\u00a0disabled, weak ciphers are disabled, Perfect Forward Secrecy is enabled.<\/p>\n

      Here’s my main.cf for Postfix.<\/p>\n

      smtpd_banner = $myhostname ESMTP - SMTP BANNER GREETING\r\nbiff = no\r\n\r\n# appending .domain is the MUA's job.\r\nappend_dot_mydomain = no\r\n\r\n# Send a warning if mail is delayed after 1 hour\r\ndelay_warning_time = 1h\r\n# If mail can't be delivered after 7 days, we give up\r\nmaximal_queue_lifetime = 7d\r\n\r\nreadme_directory = no\r\ninet_protocols = ipv4\r\n\r\n# Incoming Mail\r\nsmtpd_tls_cert_file=\/etc\/letsencrypt\/live\/<hostname>\/fullchain.pem\r\nsmtpd_tls_key_file=\/etc\/letsencrypt\/live\/<hostname>\/privkey.pem\r\nsmtpd_tls_CAfile = \/etc\/ssl\/certs\/ca-certificates.crt\r\nsmtpd_tls_dh1024_param_file = ${config_directory}\/dh2048.pem\r\nsmtpd_tls_dh512_param_file = ${config_directory}\/dh512.pem\r\nsmtpd_use_tls=yes\r\nsmtpd_tls_session_cache_database = btree:${data_directory}\/smtpd_scache\r\nsmtpd_tls_session_cache_timeout = 604800\r\nsmtpd_tls_eecdh_grade = strong\r\nsmtpd_tls_security_level = may\r\nsmtpd_tls_ciphers = high\r\nsmtpd_tls_protocols = !SSLv2, !SSLv3\r\nsmtpd_tls_exclude_ciphers = aNULL, eNULL, RC4\r\n#Don't offer Auth until STARTTLS has setup\r\nsmtpd_tls_auth_only = yes\r\n\r\n#Ask for a Client Cert\r\nsmtpd_tls_ask_ccert = yes\r\n\r\n# Outgoing Mail\r\nsmtp_tls_cert_file=\/etc\/letsencrypt\/live\/<hostname>\/fullchain.pem\r\nsmtp_tls_key_file=\/etc\/letsencrypt\/live\/<hostname>\/privkey.pem\r\nsmtp_tls_CAfile = \/etc\/ssl\/certs\/ca-certificates.crt\r\nsmtp_use_tls=yes\r\nsmtp_tls_session_cache_database = btree:${data_directory}\/smtp_scache\r\nsmtp_tls_session_cache_timeout = 604800\r\nsmtp_tls_security_level = may\r\nsmtp_tls_ciphers = high\r\nsmtp_tls_protocols = !SSLv2, !SSLv3\r\nsmtp_tls_exclude_ciphers = aNULL, eNULL, RC4\r\n\r\n#TLS Params\r\ntls_preempt_cipherlist = yes\r\n\r\nmyhostname = <my hostname>\r\nalias_maps = hash:\/etc\/aliases\r\nalias_database = hash:\/etc\/aliases\r\nmyorigin = \/etc\/mailname\r\nmydestination = <hostnames I accept mail for>\r\nvirtual_alias_domains = <other domains I host>\r\nvirtual_alias_maps = hash:\/etc\/postfix\/virtual\r\nrelayhost =\r\nmynetworks = 127.0.0.0\/8 [::ffff:127.0.0.0]\/104 [::1]\/128 <backup MX1> <backup MX2>\r\nmailbox_command = procmail -a \"$EXTENSION\"\r\nmailbox_size_limit = 0\r\nrecipient_delimiter = +\r\ninet_interfaces = all\r\nhtml_directory = no\r\n\r\n# Procmail to deliver\r\nmailbox_command = \/usr\/bin\/procmail\r\n\r\n# sasl! You want to eat it!\r\nsmtpd_sasl_auth_enable = yes\r\nsmtpd_sasl_security_options = noanonymous\r\nsmtpd_sasl_local_domain = $myhostname\r\nsmtpd_sasl_authenticated_header = yes\r\n\r\n# Mailing Signing with OpenDKIM\r\nmilter_protocol = 2\r\nmilter_default_action = accept\r\nsmtpd_milters = inet:localhost:12301 # Don't copy unless you have setup DKIM\r\nnon_smtpd_milters = inet:localhost:12301 # Don't copy unless you have setup DKIM\r\n\r\n# Proper Mail Protocol Please\r\nstrict_rfc821_envelopes = yes\r\n\r\n# Verify? No thanks!\r\ndisable_vrfy_command = yes\r\n\r\n# Demand a polite conversation!\r\nsmtpd_helo_required = yes\r\n\r\n# Delay before reject\r\nsmtpd_delay_reject = yes\r\n\r\nsmtpd_helo_restrictions = permit_mynetworks,\r\n reject_non_fqdn_hostname,\r\n reject_invalid_hostname,\r\n permit\r\n\r\nsmtpd_recipient_restrictions =\r\n reject_invalid_hostname,\r\n reject_unknown_recipient_domain,\r\n reject_unauth_pipelining,\r\n permit_mynetworks,\r\n permit_sasl_authenticated,\r\n reject_unauth_destination,\r\n check_client_access cidr:\/etc\/postfix\/rbl_override,\r\n permit_dnswl_client iadb.isipp.com=127.0.1.255,\r\n permit_dnswl_client sa-trusted.bondedsender.org,\r\n permit_dnswl_client sa-accredit.habeas.com,\r\n permit_dnswl_client list.dnswl.org=127.0.[0..255].[2..3],\r\n permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;5],\r\n reject_rhsbl_reverse_client dbl.spamhaus.org,\r\n reject_rhsbl_sender dbl.spamhaus.org,\r\n reject_rhsbl_client dbl.spamhaus.org,\r\n reject_rbl_client zen.spamhaus.org,\r\n reject_rbl_client dnsbl-1.uceprotect.net,\r\n reject_rbl_client psbl.surriel.com,\r\n reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,\r\n reject_rbl_client bl.mailspike.net,\r\n reject_rbl_client b.barracudacentral.org,\r\n reject_rbl_client truncate.gbudb.net,\r\n permit_dnswl_client iadb.isipp.com=127.0.2.[1;2],\r\n permit_dnswl_client iadb.isipp.com=127.3.100.[5..100],\r\n permit_dnswl_client wl.mailspike.net,\r\n permit_dnswl_client list.dnswl.org,\r\n permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.3,\r\n check_policy_service inet:127.0.0.1:10060,\r\n\r\nmessage_size_limit = 81920000\r\n\r\n<\/pre>\n
      Once configured like that, it’s set and forget pretty much. \u00a0I occasionally check the logs to ensure that nothing is being greylisted due to the dumb policy some senders have of retrying each time from a DIFFERENT IP Address. \u00a0When I do see such stupidity I usually just add the sending \/24 network to the Greylist Whitelist.
      \n<\/a><\/p>\n
      The final thing to note is that you should run your own caching DNS server. \u00a0If you’re using your ISPs, or a big public provider like Google etc, then the black\/whitelists often won’t work as they implement rate-limiting against abuse, and the big public name-servers are almost always blocked. \u00a0Running your own small caching DNS server is easy and will give you a working RBL setup.<\/p>\n
       <\/p>\n
      Update: 11\/4\/2017 – Turns out Protected Sky are just a bunch of rip-off merchants<\/a>. Removed them from my list of checked RBLs.<\/p>\n","protected":false},"excerpt":{"rendered":"
      This post is now out of date! Running your own mailserver is\u00a0even easier these days thanks to rspamd. You literally plug rspamd into your mailserver using a milter, it’s a single line in postfix, and rspamd rolls up everything below in the smtpd_recipient_restrictions section and then some more, plus it’s got a nice webGUI.\u00a0 Rspamd: […]<\/p>\n","protected":false},"author":1,"featured_media":228,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33,12,10],"tags":[102,103,105,104],"class_list":["post-226","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-computers","category-networking","category-technical","tag-mail","tag-postfix","tag-rbls","tag-spam"],"_links":{"self":[{"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/posts\/226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/comments?post=226"}],"version-history":[{"count":25,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/posts\/226\/revisions"}],"predecessor-version":[{"id":333,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/posts\/226\/revisions\/333"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/media\/228"}],"wp:attachment":[{"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/media?parent=226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/categories?post=226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/micro.muppetz.com\/blog\/wp-json\/wp\/v2\/tags?post=226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}