Re: [exim] Running our own email server on GCP

Top Page
Delete this message
Reply to this message
Author: Zakaria
Date:  
To: exim-users
Subject: Re: [exim] Running our own email server on GCP
Hi Terrance,
Here is my input.
I have configured EXIM with dovecot in VPS, I think it would be doable
in similar way to docker containers I presume and if its not then seems
the issues would be along the lines of just requiring ports opening,
although I used not port 26 nor I found any need in my VPS setup but I
read somewhere GCP blocks 25 and people turn to 26 as unique one thus
needs to be opened for SMTP authentications and connections.
In regards security implementation to handle DKIM, SPF, DMARC and DANE
I recommend sidn.nl tutorials on how to configure them, they offered me
great resource to understand how it works and, as always with me while
its depending on your security ideals still I suggest to loosen sidn.nl
denys to warning so to make sure all emails are received and perhaps
add headers indicating which validation fails in case there was, and
using sieve forward to spam with rewritten subject, e.g. content is
likely spam, rewrite " spam content ", and in the event of DKIM failure
either bad or invalid signature, then add DKIM failure accordingly,
etc. Refer to
https://www.sidn.nl/en/modern-internet-standards/hands-on-implementing-
spf-dkim-and-dmarc-in-exim
https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-exi
m
I have not tested Postfix but so far EXIM as MTA and Dovecot as IMAP
Server, together works just perfectly, therefore I recommend using them
over Postfix.
Also, I recommend to secure EXIM and Dovecot so to handle connections
only over SSL, I think its better to enable mail server over SSL and
disable STARTTLS i.e. enable port 465 for SMTP and 993 for IMAP and I
guess 995 for POP3 to enable SSL as well as disable 587, 143 and 110 to
disable STARTTLS and require ssl i.e. encryption in SMTP
authentications and IMAP as well as POP3 connections, since it seems
STARTTLS is prune to some attack vectors, refer
to https://nostarttls.secvuln.info/
In terms of ssl library, I compiled recent EXIM master against latest
openssl, I guess 3.0.1 and it works perfectly with no issues.
Lastly its ARC, I am currently working on configuring ARC experimental,
so far the EXIM experimental documentation seems to be a good starting
point. I've not finished, and there could be out there more elaborative
sources other than EXIM notes, so I recommend to do further research on
your own. It seems generally its all about adding several blocks in
ACLs and options in transports and routers along enabling ARC flag
during compilation.
I hope you find my input helpful, with good luck.
Zakaria.
On 5 Feb 2022 15:01, Byung-Hee HWANG via Exim-users
<exim-users@???> wrote:

     Terrance Devor via Exim-users <exim-users@???> writes:
     > To add some additional information regarding what we are trying to
     achieve:
     >
     > - An email server as a docker container. Prefer EXIM however
     Postfix would
     > work
     > - A POP3/IMAP server as a docker container

     >
     > The containers will be deployed to a kubernetes cluster on GCP. We
     also
     > want DKIM and all the verification to work perfectly. This is for
     my own
     > company, security is a must :)

     >
     > Can anyone please help guide in the right direction?
     As you know, all bytes are money on GCP, AWS and other Cloud
     services. So i do not use POP3/IMAP on GCP. All incoming emails goes
     forward to real Gmail box:
     #+BEGIN_SRC text
     soyeomul@bionic190316003:~$ cat ~/.forward
     soyeomul+gcp@???
     #+END_SRC
     And i don't know about a docker. +Both Exim and Postfix are good
     MTA.
     Sincerely, Byung-Hee
     --
     ## List details at
     https://lists.exim.org/mailman/listinfo/exim-users
     ## Exim details at http://www.exim.org/
     ## Please use the Wiki with this list - http://wiki.exim.org/