LISTSERV mailing list manager LISTSERV 15.5

Help for LINUX-L Archives

LINUX-L Archives

LINUX-L Archives


Next Message | Previous Message
Next in Topic | Previous in Topic
Next by Same Author | Previous by Same Author
Chronologically | Most Recent First
Proportional Font | Monospaced Font


Join or Leave LINUX-L
Reply | Post New Message
Search Archives

Subject: Re: Mail Server Inquiry
From: "N.J. Thomas" <[log in to unmask]>
Reply-To:Platform Independent Linux List! <[log in to unmask]>
Date:Wed, 7 Mar 2018 13:52:03 -0800

text/plain (112 lines)

* Nick Strickland <[log in to unmask]> [2018-03-01 05:37:29+0000]:
> It was intentional to leave out any logs
> My goal isn't to fix the broken setup I have (had) now but purely to
> learn so I can start from scratch properly later.

Fair enough.

> As a serious newbie to DNS, I can only say I think my DNS is
> configured properly. I have an MX and an A record for my domain
> pointing to my VPS's static IP.

Okay. The only other thing I would suggest is to always have a backup MX
available as well. You can easily upgrade one host or the other without
losing anything that way.

> Currently my domains and their DNS are managed by Godaddy, which is
> something I hope to change soon. Reverse IP is working as expected.

For many reasons, you should always separate your DNS hosting from your
registrar, from your web host. Keep them all separate.

(Also, GoDaddy has been traditionally not a very good choice for DNS
registration, cf. the SOPA debacle from years ago. I've not used them,
but I hear good things about Hurricane Electric's free DNS hosting. For
DNS registration, Gandi is a good one. There are others.)

You should have backup DNS as well, for the same reasons as mentioned

> Currently SSH is only accessible by a single key with password login
> and root access disabled.

Good. Also look into setting AllowUsers in your sshd config to lock it
down further.

If you do ever need to setup a bastion host that allows password logins,
absolutely make sure AllowUsers is set, as well as lock it down with
TOTP 2FA (Google Authenticator is a popular choice, but anything that
does TOTP will work).

> For the moment I've only got firewalld running with a few services and
> zones cleared. Since this isn't production and on a different domain
> than any of my other services, I'm not too concerned with unauthorized
> access, should it happen, so I've gotten lazy on that note.

Also look into installing and running SSHGuard on all your hosts.
(DenyHosts and fail2ban are common alternatives, but SSHGuard is the
modern one and just works.)

> I'm looking for some nice Linux books if you have some suggestions! 

It's been a while, and I used a way older version, but UNIX and Linux
System Administration Handbook, 5th Edition by Nemeth et al. is probably
a good choice.

Everything else I looked into (eg. the Armadillo book) seems to be out
of print or 20+ years old.

> I wiped the VPS and started using it for something else so as not to
> waste money, so I cannot include any postconf information. To my
> knowledge, each of those lines were populated, at the very least. 

Okay. Initially when setting up your server, you want to answer two
basic questions with your setup:

    - Who (ie. what domains) do I accept mail for?
    - What machines will I send out mail on behalf of?

I think the 5 basic Postfix parameters that answers that are these:


You basically want to make sure you are only accept mail for domains you
manage, and you only send mail on behalf of hosts you trust.

If you have already have a relay host setup, just set your box to be a
Postfix null client. There's tons of examples for that online.

> Postfix having good logs has been refreshing. Before I broke my last
> configuration, I noticed how verbose it really was. I suppose there's
> a reason so many people recommend it, right?

Because of its design, Postfix breaks up log entries into various lines
with a common transaction code, so it's initially kinda hard to follow
what is going on. Add to the mix that different Postfix daemons do
different things with the mail message, and write their own log entries. 

If you just keep track of the transaction code, or tail the log file as
mail comes in and goes out, you should figure out pretty quickly what's
going on.

One last thing I will mention, when testing mail, it used to be a common
thing to telnet to port 25 and talk ESMTP. Don't do that anymore. Use a
tool called Swaks to test your email. It is _so_ much better.

Keep us posted.


Back to: Top of Message | Previous Page | Main LINUX-L Page



CataList Email List Search Powered by the LISTSERV Email List Manager