Re: [exim] Running our own email server on GCP

Hi Terrence, Mohamed,
If port 25 on such SMTP server is open and accessible remotely then
EHLO command will work, and if not then at such point it is not
possible to be initiated since its port is not accessible and this is
the point where EHLO wouldnt work. To check ports accessibility, I
advise to refer to port checkers tools and online services, insert
server IP and check if the relevant port is open or use the following
command:-
ss -alpnt | grep '25'
I'm really sorry for not being able to help in configuring by myself,
its just I've many things to do while I would love to but I'm happy to
answer any question to any issue you might face. I advise to just hit
the ground and start compiling and installing dovecot and exim and
things will be easy once you start setting up the configuration files.
With good luck.
Zakaria.
On 19 Feb 2022 17:42, Terrance Devor via Exim-users
<exim-users@???> wrote:

     Hello Zakaria,
     - Adding Mohamed who is our CTO
     Please see my comments inline
     On Mon, Feb 7, 2022 at 5:26 PM Zakaria via Exim-users
     <exim-users@???>
     wrote:
     >    Hi Terrance,
     >    Here is my input.
     >    I have configured EXIM with dovecot in VPS, I think it would be
     doable
     >    in similar way to docker containers I presume and if its not
     then seems
     >    the issues would be along the lines of just requiring ports
     opening,
     >    although I used not port 26 nor I found any need in my VPS
     setup but I
     >    read somewhere GCP blocks 25 and people turn to 26 as unique
     one thus
     >    needs to be opened for SMTP authentications and connections.
     >
     Agreed, the setup will be very similar and we will need to setup the
     correct IN/EGRESS rules to setup the ports for SMTP/IMAP. The idea
     is to
     setup EXIM/Dovecot with emails persisted to a filesystem. IMAP/POP
     will be
     configured to force our employees to download the emails onto their
     local
     machines after the quote (200MB) has been met. I am a little
     confused by
     the whole use port 26 instead of port 25, whould EHLO attempt from
     other
     SMTP servers still work? Would they not attempt the EHLO on port 25?
     At
     which point the EHLO attempt would fail.
     >    In regards security implementation to handle DKIM, SPF, DMARC
     and DANE
     >    I recommend sidn.nl tutorials on how to configure them, they
     offered me
     >    great resource to understand how it works and, as always with
     me while
     >    its depending on your security ideals still I suggest to loosen
     sidn.nl
     >    denys to warning so to make sure all emails are received and
     perhaps
     >    add headers indicating which validation fails in case there
     was, and
     >    using sieve forward to spam with rewritten subject, e.g.
     content is
     >    likely spam, rewrite " spam content ", and in the event of DKIM
     failure
     >    either bad or invalid signature, then add DKIM failure
     accordingly,
     >    etc. Refer to

     >
     https://www.sidn.nl/en/modern-internet-standards/hands-on-implementi
     ng-
     >    spf-dkim-and-dmarc-in-exim

     >
     https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-
     exi
     >    m

     >
     This will be very important. Because this is for corporate emails we
     don't
     want to ask our clients to check their SPAM folder...
     >    I have not tested Postfix but so far EXIM as MTA and Dovecot as
     IMAP
     >    Server, together works just perfectly, therefore I recommend
     using them
     >    over Postfix.

     >
     We also want to go with EXIM/Dovecot with spam and virus detection.
     >    Also, I recommend to secure EXIM and Dovecot so to handle
     connections
     >    only over SSL, I think its better to enable mail server over
     SSL and
     >    disable STARTTLS i.e. enable port 465 for SMTP and 993 for IMAP
     and I
     >    guess 995 for POP3 to enable SSL as well as disable 587, 143
     and 110 to
     >    disable STARTTLS and require ssl i.e. encryption in SMTP
     >    authentications and IMAP as well as POP3 connections, since it
     seems
     >    STARTTLS is prune to some attack vectors, refer
     >    to https://nostarttls.secvuln.info/
     I configured something very similar when I setup my own email server
     15
     years ago. Would love to see the same setup (ie, use of SSL with
     disabled
     STATTLS and enabling ports 465/993 only and disable the rest) We
     need a
     very secured email server instance that require employees to get on
     the
     company VPN to send/receive email.

     >
     >    In terms of ssl library, I compiled recent EXIM master against
     latest
     >    openssl, I guess 3.0.1 and it works perfectly with no issues.
     >    Lastly its ARC, I am currently working on configuring ARC
     experimental,
     >    so far the EXIM experimental documentation seems to be a good
     starting
     >    point. I've not finished, and there could be out there more
     elaborative
     >    sources other than EXIM notes, so I recommend to do further
     research on
     >    your own. It seems generally its all about adding several
     blocks in
     >    ACLs and options in transports and routers along enabling ARC
     flag
     >    during compilation.
     >    I hope you find my input helpful, with good luck.
     >    Zakaria.

     >
     As discussed, I setup an email server on a 2U which I had in my home
     about
     10 years ago EXIM4 days.... Currently, technical work is well over
     my
     ability and would really appreciate if you guys would help us deploy
     this
     on our K8S cluster.
     We have a small budget that I could put towards settting up a fully
     secured
     EXIM and dovecot server on our Kuberntes cluster. We would package
     up the
     custom docker image, we need someone to help in the configuration
     and lock
     everything down for a secure email service that is fully verified.
     Can you please help?
     >    On 5 Feb 2022 15:01, Byung-Hee HWANG via Exim-users
     >    <exim-users@???> wrote:

     >
     >      Terrance Devor via Exim-users <exim-users@???> writes:
     >      > To add some additional information regarding what we are
     trying to
     >      achieve:

     >      >
     >      > - An email server as a docker container. Prefer EXIM
     however
     >      Postfix would
     >      > work
     >      > - A POP3/IMAP server as a docker container

     >      >
     >      > The containers will be deployed to a kubernetes cluster on
     GCP. We
     >      also
     >      > want DKIM and all the verification to work perfectly. This
     is for
     >      my own
     >      > company, security is a must :)

     >      >
     >      > Can anyone please help guide in the right direction?
     >      As you know, all bytes are money on GCP, AWS and other Cloud
     >      services. So i do not use POP3/IMAP on GCP. All incoming
     emails goes
     >      forward to real Gmail box:
     >      #+BEGIN_SRC text
     >      soyeomul@bionic190316003:~$ cat ~/.forward
     >      soyeomul+gcp@???
     >      #+END_SRC
     >      And i don't know about a docker. +Both Exim and Postfix are
     good
     >      MTA.
     >      Sincerely, Byung-Hee
     >      --
     >      ## List details at
     >      https://lists.exim.org/mailman/listinfo/exim-users
     >      ## Exim details at http://www.exim.org/
     >      ## Please use the Wiki with this list - http://wiki.exim.org/
     > --
     > ## List details at
     https://lists.exim.org/mailman/listinfo/exim-users
     > ## Exim details at http://www.exim.org/
     > ## Please use the Wiki with this list - http://wiki.exim.org/

     >
     --
     ## List details at
     https://lists.exim.org/mailman/listinfo/exim-users
     ## Exim details at http://www.exim.org/
     ## Please use the Wiki with this list - http://wiki.exim.org/