LISTSERV mailing list manager LISTSERV 16.0

Help for LINUX-L Archives


LINUX-L Archives

LINUX-L Archives


LINUX-L@LISTS.UFL.EDU


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

LINUX-L Home

LINUX-L Home

LINUX-L  2018

LINUX-L 2018

Subject:

Re: Mail Server Inquiry

From:

"N.J. Thomas" <[log in to unmask]>

Reply-To:

Platform Independent Linux List! <[log in to unmask]>

Date:

Wed, 7 Mar 2018 13:52:03 -0800

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (112 lines)

* Nick Strickland <[log in to unmask]> [2018-03-01 05:37:29+0000]:
> It was intentional to leave out any logs
[...]
> My goal isn't to fix the broken setup I have (had) now but purely to
> learn so I can start from scratch properly later.

Fair enough.


> As a serious newbie to DNS, I can only say I think my DNS is
> configured properly. I have an MX and an A record for my domain
> pointing to my VPS's static IP.

Okay. The only other thing I would suggest is to always have a backup MX
available as well. You can easily upgrade one host or the other without
losing anything that way.


> Currently my domains and their DNS are managed by Godaddy, which is
> something I hope to change soon. Reverse IP is working as expected.

For many reasons, you should always separate your DNS hosting from your
registrar, from your web host. Keep them all separate.

(Also, GoDaddy has been traditionally not a very good choice for DNS
registration, cf. the SOPA debacle from years ago. I've not used them,
but I hear good things about Hurricane Electric's free DNS hosting. For
DNS registration, Gandi is a good one. There are others.)

You should have backup DNS as well, for the same reasons as mentioned
above.


> Currently SSH is only accessible by a single key with password login
> and root access disabled.

Good. Also look into setting AllowUsers in your sshd config to lock it
down further.

If you do ever need to setup a bastion host that allows password logins,
absolutely make sure AllowUsers is set, as well as lock it down with
TOTP 2FA (Google Authenticator is a popular choice, but anything that
does TOTP will work).


> For the moment I've only got firewalld running with a few services and
> zones cleared. Since this isn't production and on a different domain
> than any of my other services, I'm not too concerned with unauthorized
> access, should it happen, so I've gotten lazy on that note.

Also look into installing and running SSHGuard on all your hosts.
(DenyHosts and fail2ban are common alternatives, but SSHGuard is the
modern one and just works.)


> I'm looking for some nice Linux books if you have some suggestions! 

It's been a while, and I used a way older version, but UNIX and Linux
System Administration Handbook, 5th Edition by Nemeth et al. is probably
a good choice.

Everything else I looked into (eg. the Armadillo book) seems to be out
of print or 20+ years old.


> I wiped the VPS and started using it for something else so as not to
> waste money, so I cannot include any postconf information. To my
> knowledge, each of those lines were populated, at the very least. 

Okay. Initially when setting up your server, you want to answer two
basic questions with your setup:

    - Who (ie. what domains) do I accept mail for?
    - What machines will I send out mail on behalf of?

I think the 5 basic Postfix parameters that answers that are these:

    mydestination
    mydomain
    myhostname
    mynetworks
    relay_domains

You basically want to make sure you are only accept mail for domains you
manage, and you only send mail on behalf of hosts you trust.

If you have already have a relay host setup, just set your box to be a
Postfix null client. There's tons of examples for that online.


> Postfix having good logs has been refreshing. Before I broke my last
> configuration, I noticed how verbose it really was. I suppose there's
> a reason so many people recommend it, right?

Because of its design, Postfix breaks up log entries into various lines
with a common transaction code, so it's initially kinda hard to follow
what is going on. Add to the mix that different Postfix daemons do
different things with the mail message, and write their own log entries. 

If you just keep track of the transaction code, or tail the log file as
mail comes in and goes out, you should figure out pretty quickly what's
going on.


One last thing I will mention, when testing mail, it used to be a common
thing to telnet to port 25 and talk ESMTP. Don't do that anymore. Use a
tool called Swaks to test your email. It is _so_ much better.


Keep us posted.

Thomas

Top of Message | Previous Page | Permalink

Advanced Options


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Subscribe or Unsubscribe

Subscribe or Unsubscribe


Archives

2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997

ATOM RSS1 RSS2



LISTS.UFL.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager