Hello Zakaria,
I agree if port 25 is open it would work just fine, but how to get around
the fact that GCP block port 25?
On Sat, Feb 19, 2022 at 2:05 PM Zakaria <hi@???> wrote:
> Hi Terrence, Mohamed,
>
> If port 25 on such SMTP server is open and accessible remotely then EHLO
> command will work, and if not then at such point it is not possible to be
> initiated since its port is not accessible and this is the point where EHLO
> wouldnt work. To check ports accessibility, I advise to refer to port
> checkers tools and online services, insert server IP and check if the
> relevant port is open or use the following command:-
>
> ss -alpnt | grep '25'
>
> I'm really sorry for not being able to help in configuring by myself, its
> just I've many things to do while I would love to but I'm happy to answer
> any question to any issue you might face. I advise to just hit the ground
> and start compiling and installing dovecot and exim and things will be easy
> once you start setting up the configuration files.
>
> With good luck.
>
> Zakaria.
>
> On 19 Feb 2022 17:42, Terrance Devor via Exim-users <exim-users@???>
> wrote:
>
> Hello Zakaria,
>
> - Adding Mohamed who is our CTO
>
> Please see my comments inline
>
>
> On Mon, Feb 7, 2022 at 5:26 PM Zakaria via Exim-users <exim-users@???>
>
> wrote:
>
> > Hi Terrance,
> > Here is my input.
> > I have configured EXIM with dovecot in VPS, I think it would be
> doable
> > in similar way to docker containers I presume and if its not then
> seems
> > the issues would be along the lines of just requiring ports opening,
> > although I used not port 26 nor I found any need in my VPS setup but
> I
> > read somewhere GCP blocks 25 and people turn to 26 as unique one thus
> > needs to be opened for SMTP authentications and connections.
> >
>
> Agreed, the setup will be very similar and we will need to setup the
> correct IN/EGRESS rules to setup the ports for SMTP/IMAP. The idea is to
> setup EXIM/Dovecot with emails persisted to a filesystem. IMAP/POP will be
> configured to force our employees to download the emails onto their local
> machines after the quote (200MB) has been met. I am a little confused by
> the whole use port 26 instead of port 25, whould EHLO attempt from other
> SMTP servers still work? Would they not attempt the EHLO on port 25? At
> which point the EHLO attempt would fail.
>
>
> > In regards security implementation to handle DKIM, SPF, DMARC and
> DANE
> > I recommend sidn.nl tutorials on how to configure them, they offered
> me
> > great resource to understand how it works and, as always with me
> while
> > its depending on your security ideals still I suggest to loosen
> sidn.nl
> > denys to warning so to make sure all emails are received and perhaps
> > add headers indicating which validation fails in case there was, and
> > using sieve forward to spam with rewritten subject, e.g. content is
> > likely spam, rewrite " spam content ", and in the event of DKIM
> failure
> > either bad or invalid signature, then add DKIM failure accordingly,
> > etc. Refer to
> >
> https://www.sidn.nl/en/modern-internet-standards/hands-on-implementing-
> > spf-dkim-and-dmarc-in-exim
> >
> https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-exi
> > m
> >
>
> This will be very important. Because this is for corporate emails we don't
> want to ask our clients to check their SPAM folder...
>
>
>
> > I have not tested Postfix but so far EXIM as MTA and Dovecot as IMAP
> > Server, together works just perfectly, therefore I recommend using
> them
> > over Postfix.
> >
>
> We also want to go with EXIM/Dovecot with spam and virus detection.
>
>
> > Also, I recommend to secure EXIM and Dovecot so to handle connections
> > only over SSL, I think its better to enable mail server over SSL and
> > disable STARTTLS i.e. enable port 465 for SMTP and 993 for IMAP and I
> > guess 995 for POP3 to enable SSL as well as disable 587, 143 and 110
> to
> > disable STARTTLS and require ssl i.e. encryption in SMTP
> > authentications and IMAP as well as POP3 connections, since it seems
> > STARTTLS is prune to some attack vectors, refer
> > to https://nostarttls.secvuln.info/
>
>
> I configured something very similar when I setup my own email server 15
> years ago. Would love to see the same setup (ie, use of SSL with disabled
> STATTLS and enabling ports 465/993 only and disable the rest) We need a
> very secured email server instance that require employees to get on the
> company VPN to send/receive email.
>
> >
> > In terms of ssl library, I compiled recent EXIM master against latest
> > openssl, I guess 3.0.1 and it works perfectly with no issues.
> > Lastly its ARC, I am currently working on configuring ARC
> experimental,
> > so far the EXIM experimental documentation seems to be a good
> starting
> > point. I've not finished, and there could be out there more
> elaborative
> > sources other than EXIM notes, so I recommend to do further research
> on
> > your own. It seems generally its all about adding several blocks in
> > ACLs and options in transports and routers along enabling ARC flag
> > during compilation.
> > I hope you find my input helpful, with good luck.
> > Zakaria.
> >
>
> As discussed, I setup an email server on a 2U which I had in my home about
> 10 years ago EXIM4 days.... Currently, technical work is well over my
> ability and would really appreciate if you guys would help us deploy this
> on our K8S cluster.
>
> We have a small budget that I could put towards settting up a fully
> secured
> EXIM and dovecot server on our Kuberntes cluster. We would package up the
> custom docker image, we need someone to help in the configuration and lock
> everything down for a secure email service that is fully verified.
>
> Can you please help?
>
>
>
>
> > On 5 Feb 2022 15:01, Byung-Hee HWANG via Exim-users
> > <exim-users@???> wrote:
> >
> > Terrance Devor via Exim-users <exim-users@???> writes:
> > > To add some additional information regarding what we are trying
> to
> > achieve:
> > >
> > > - An email server as a docker container. Prefer EXIM however
> > Postfix would
> > > work
> > > - A POP3/IMAP server as a docker container
> > >
> > > The containers will be deployed to a kubernetes cluster on GCP.
> We
> > also
> > > want DKIM and all the verification to work perfectly. This is for
> > my own
> > > company, security is a must :)
> > >
> > > Can anyone please help guide in the right direction?
> > As you know, all bytes are money on GCP, AWS and other Cloud
> > services. So i do not use POP3/IMAP on GCP. All incoming emails
> goes
> > forward to real Gmail box:
> > #+BEGIN_SRC text
> > soyeomul@bionic190316003:~$ cat ~/.forward
> > soyeomul+gcp@???
> > #+END_SRC
> > And i don't know about a docker. +Both Exim and Postfix are good
> > MTA.
> > Sincerely, Byung-Hee
> > --
> > ## List details at
> > https://lists.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/
> > ## Please use the Wiki with this list - http://wiki.exim.org/
> > --
> > ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/
> > ## Please use the Wiki with this list - http://wiki.exim.org/
> >
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
>
>