Re: [exim] Running our own email server on GCP

Góra strony
Delete this message
Reply to this message
Autor: Terrance Devor
Data:  
Dla: Zakaria, mbaig, exim-users
Temat: Re: [exim] Running our own email server on GCP
Hello Zakaria,

- Adding Mohamed who is our CTO

Please see my comments inline


On Mon, Feb 7, 2022 at 5:26 PM Zakaria via Exim-users <exim-users@???>
wrote:

>    Hi Terrance,
>    Here is my input.
>    I have configured EXIM with dovecot in VPS, I think it would be doable
>    in similar way to docker containers I presume and if its not then seems
>    the issues would be along the lines of just requiring ports opening,
>    although I used not port 26 nor I found any need in my VPS setup but I
>    read somewhere GCP blocks 25 and people turn to 26 as unique one thus
>    needs to be opened for SMTP authentications and connections.

>


Agreed, the setup will be very similar and we will need to setup the
correct IN/EGRESS rules to setup the ports for SMTP/IMAP. The idea is to
setup EXIM/Dovecot with emails persisted to a filesystem. IMAP/POP will be
configured to force our employees to download the emails onto their local
machines after the quote (200MB) has been met. I am a little confused by
the whole use port 26 instead of port 25, whould EHLO attempt from other
SMTP servers still work? Would they not attempt the EHLO on port 25? At
which point the EHLO attempt would fail.


>    In regards security implementation to handle DKIM, SPF, DMARC and DANE
>    I recommend sidn.nl tutorials on how to configure them, they offered me
>    great resource to understand how it works and, as always with me while
>    its depending on your security ideals still I suggest to loosen sidn.nl
>    denys to warning so to make sure all emails are received and perhaps
>    add headers indicating which validation fails in case there was, and
>    using sieve forward to spam with rewritten subject, e.g. content is
>    likely spam, rewrite " spam content ", and in the event of DKIM failure
>    either bad or invalid signature, then add DKIM failure accordingly,
>    etc. Refer to
>    https://www.sidn.nl/en/modern-internet-standards/hands-on-implementing-
>    spf-dkim-and-dmarc-in-exim
>    https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-exi
>    m

>


This will be very important. Because this is for corporate emails we don't
want to ask our clients to check their SPAM folder...



>    I have not tested Postfix but so far EXIM as MTA and Dovecot as IMAP
>    Server, together works just perfectly, therefore I recommend using them
>    over Postfix.

>


We also want to go with EXIM/Dovecot with spam and virus detection.


>    Also, I recommend to secure EXIM and Dovecot so to handle connections
>    only over SSL, I think its better to enable mail server over SSL and
>    disable STARTTLS i.e. enable port 465 for SMTP and 993 for IMAP and I
>    guess 995 for POP3 to enable SSL as well as disable 587, 143 and 110 to
>    disable STARTTLS and require ssl i.e. encryption in SMTP
>    authentications and IMAP as well as POP3 connections, since it seems
>    STARTTLS is prune to some attack vectors, refer
>    to https://nostarttls.secvuln.info/



I configured something very similar when I setup my own email server 15
years ago. Would love to see the same setup (ie, use of SSL with disabled
STATTLS and enabling ports 465/993 only and disable the rest) We need a
very secured email server instance that require employees to get on the
company VPN to send/receive email.

>
>    In terms of ssl library, I compiled recent EXIM master against latest
>    openssl, I guess 3.0.1 and it works perfectly with no issues.
>    Lastly its ARC, I am currently working on configuring ARC experimental,
>    so far the EXIM experimental documentation seems to be a good starting
>    point. I've not finished, and there could be out there more elaborative
>    sources other than EXIM notes, so I recommend to do further research on
>    your own. It seems generally its all about adding several blocks in
>    ACLs and options in transports and routers along enabling ARC flag
>    during compilation.
>    I hope you find my input helpful, with good luck.
>    Zakaria.

>


As discussed, I setup an email server on a 2U which I had in my home about
10 years ago EXIM4 days.... Currently, technical work is well over my
ability and would really appreciate if you guys would help us deploy this
on our K8S cluster.

We have a small budget that I could put towards settting up a fully secured
EXIM and dovecot server on our Kuberntes cluster. We would package up the
custom docker image, we need someone to help in the configuration and lock
everything down for a secure email service that is fully verified.

Can you please help?




>    On 5 Feb 2022 15:01, Byung-Hee HWANG via Exim-users
>    <exim-users@???> wrote:

>
>      Terrance Devor via Exim-users <exim-users@???> writes:
>      > To add some additional information regarding what we are trying to
>      achieve:
>      >
>      > - An email server as a docker container. Prefer EXIM however
>      Postfix would
>      > work
>      > - A POP3/IMAP server as a docker container

>      >
>      > The containers will be deployed to a kubernetes cluster on GCP. We
>      also
>      > want DKIM and all the verification to work perfectly. This is for
>      my own
>      > company, security is a must :)

>      >
>      > Can anyone please help guide in the right direction?
>      As you know, all bytes are money on GCP, AWS and other Cloud
>      services. So i do not use POP3/IMAP on GCP. All incoming emails goes
>      forward to real Gmail box:
>      #+BEGIN_SRC text
>      soyeomul@bionic190316003:~$ cat ~/.forward
>      soyeomul+gcp@???
>      #+END_SRC
>      And i don't know about a docker. +Both Exim and Postfix are good
>      MTA.
>      Sincerely, Byung-Hee
>      --
>      ## List details at
>      https://lists.exim.org/mailman/listinfo/exim-users
>      ## Exim details at http://www.exim.org/
>      ## Please use the Wiki with this list - http://wiki.exim.org/
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

>