Re: [exim] Running our own email server on GCP

Pàgina inicial
Delete this message
Reply to this message
Autor: Terrance Devor
Data:  
A: Zakaria
CC: mbaig, exim-users
Assumpte: Re: [exim] Running our own email server on GCP
Hello Zakaria,

I agree if port 25 is open it would work just fine, but how to get around
the fact that GCP block port 25?

On Sat, Feb 19, 2022 at 2:05 PM Zakaria <hi@???> wrote:

> Hi Terrence, Mohamed,
>
> If port 25 on such SMTP server is open and accessible remotely then EHLO
> command will work, and if not then at such point it is not possible to be
> initiated since its port is not accessible and this is the point where EHLO
> wouldnt work. To check ports accessibility, I advise to refer to port
> checkers tools and online services, insert server IP and check if the
> relevant port is open or use the following command:-
>
> ss -alpnt | grep '25'
>
> I'm really sorry for not being able to help in configuring by myself, its
> just I've many things to do while I would love to but I'm happy to answer
> any question to any issue you might face. I advise to just hit the ground
> and start compiling and installing dovecot and exim and things will be easy
> once you start setting up the configuration files.
>
> With good luck.
>
> Zakaria.
>
> On 19 Feb 2022 17:42, Terrance Devor via Exim-users <exim-users@???>
> wrote:
>
> Hello Zakaria,
>
> - Adding Mohamed who is our CTO
>
> Please see my comments inline
>
>
> On Mon, Feb 7, 2022 at 5:26 PM Zakaria via Exim-users <exim-users@???>
>
> wrote:
>
> >    Hi Terrance,
> >    Here is my input.
> >    I have configured EXIM with dovecot in VPS, I think it would be
> doable
> >    in similar way to docker containers I presume and if its not then
> seems
> >    the issues would be along the lines of just requiring ports opening,
> >    although I used not port 26 nor I found any need in my VPS setup but
> I
> >    read somewhere GCP blocks 25 and people turn to 26 as unique one thus
> >    needs to be opened for SMTP authentications and connections.

> >
>
> Agreed, the setup will be very similar and we will need to setup the
> correct IN/EGRESS rules to setup the ports for SMTP/IMAP. The idea is to
> setup EXIM/Dovecot with emails persisted to a filesystem. IMAP/POP will be
> configured to force our employees to download the emails onto their local
> machines after the quote (200MB) has been met. I am a little confused by
> the whole use port 26 instead of port 25, whould EHLO attempt from other
> SMTP servers still work? Would they not attempt the EHLO on port 25? At
> which point the EHLO attempt would fail.
>
>
> >    In regards security implementation to handle DKIM, SPF, DMARC and
> DANE
> >    I recommend sidn.nl tutorials on how to configure them, they offered
> me
> >    great resource to understand how it works and, as always with me
> while
> >    its depending on your security ideals still I suggest to loosen
> sidn.nl
> >    denys to warning so to make sure all emails are received and perhaps
> >    add headers indicating which validation fails in case there was, and
> >    using sieve forward to spam with rewritten subject, e.g. content is
> >    likely spam, rewrite " spam content ", and in the event of DKIM
> failure
> >    either bad or invalid signature, then add DKIM failure accordingly,
> >    etc. Refer to

> >
> https://www.sidn.nl/en/modern-internet-standards/hands-on-implementing-
> >    spf-dkim-and-dmarc-in-exim

> >
> https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-exi
> >    m

> >
>
> This will be very important. Because this is for corporate emails we don't
> want to ask our clients to check their SPAM folder...
>
>
>
> >    I have not tested Postfix but so far EXIM as MTA and Dovecot as IMAP
> >    Server, together works just perfectly, therefore I recommend using
> them
> >    over Postfix.

> >
>
> We also want to go with EXIM/Dovecot with spam and virus detection.
>
>
> >    Also, I recommend to secure EXIM and Dovecot so to handle connections
> >    only over SSL, I think its better to enable mail server over SSL and
> >    disable STARTTLS i.e. enable port 465 for SMTP and 993 for IMAP and I
> >    guess 995 for POP3 to enable SSL as well as disable 587, 143 and 110
> to
> >    disable STARTTLS and require ssl i.e. encryption in SMTP
> >    authentications and IMAP as well as POP3 connections, since it seems
> >    STARTTLS is prune to some attack vectors, refer
> >    to https://nostarttls.secvuln.info/

>
>
> I configured something very similar when I setup my own email server 15
> years ago. Would love to see the same setup (ie, use of SSL with disabled
> STATTLS and enabling ports 465/993 only and disable the rest) We need a
> very secured email server instance that require employees to get on the
> company VPN to send/receive email.
>
> >
> >    In terms of ssl library, I compiled recent EXIM master against latest
> >    openssl, I guess 3.0.1 and it works perfectly with no issues.
> >    Lastly its ARC, I am currently working on configuring ARC
> experimental,
> >    so far the EXIM experimental documentation seems to be a good
> starting
> >    point. I've not finished, and there could be out there more
> elaborative
> >    sources other than EXIM notes, so I recommend to do further research
> on
> >    your own. It seems generally its all about adding several blocks in
> >    ACLs and options in transports and routers along enabling ARC flag
> >    during compilation.
> >    I hope you find my input helpful, with good luck.
> >    Zakaria.

> >
>
> As discussed, I setup an email server on a 2U which I had in my home about
> 10 years ago EXIM4 days.... Currently, technical work is well over my
> ability and would really appreciate if you guys would help us deploy this
> on our K8S cluster.
>
> We have a small budget that I could put towards settting up a fully
> secured
> EXIM and dovecot server on our Kuberntes cluster. We would package up the
> custom docker image, we need someone to help in the configuration and lock
> everything down for a secure email service that is fully verified.
>
> Can you please help?
>
>
>
>
> >    On 5 Feb 2022 15:01, Byung-Hee HWANG via Exim-users
> >    <exim-users@???> wrote:

> >
> >      Terrance Devor via Exim-users <exim-users@???> writes:
> >      > To add some additional information regarding what we are trying
> to
> >      achieve:
> >      >
> >      > - An email server as a docker container. Prefer EXIM however
> >      Postfix would
> >      > work
> >      > - A POP3/IMAP server as a docker container

> >      >
> >      > The containers will be deployed to a kubernetes cluster on GCP.
> We
> >      also
> >      > want DKIM and all the verification to work perfectly. This is for
> >      my own
> >      > company, security is a must :)

> >      >
> >      > Can anyone please help guide in the right direction?
> >      As you know, all bytes are money on GCP, AWS and other Cloud
> >      services. So i do not use POP3/IMAP on GCP. All incoming emails
> goes
> >      forward to real Gmail box:
> >      #+BEGIN_SRC text
> >      soyeomul@bionic190316003:~$ cat ~/.forward
> >      soyeomul+gcp@???
> >      #+END_SRC
> >      And i don't know about a docker. +Both Exim and Postfix are good
> >      MTA.
> >      Sincerely, Byung-Hee
> >      --
> >      ## List details at
> >      https://lists.exim.org/mailman/listinfo/exim-users
> >      ## Exim details at http://www.exim.org/
> >      ## Please use the Wiki with this list - http://wiki.exim.org/
> > --
> > ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/
> > ## Please use the Wiki with this list - http://wiki.exim.org/

> >
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
>
>