Home mail server tutorial - is security still OK?

roccobaroccoSC

Aspiring Daemon

Reaction score: 226
Messages: 749

Hi, I am reading this tutorial about setting up a home mail server with mail/postfix and mail/dovecot: https://forums.freebsd.org/threads/...r-with-tls-and-non-plain-authenticatio.42507/
It has been 8 years meanwhile so I am wondering if the configuration described there is still adequate in 2021?

More specifically, the author suggests using auth_mechanisms = cram-md5 and ssl_cipher_list = TLSv1+HIGH:!3DES:!CAMELLIA:!aNULL:@STRENGTH.
Should I maybe try to configure OAUTBEARER (Yahoo's IMAP uses for OAuth2 for example)?
My browser is currently using TLS 1.3 and 256 bit keys.

It is assumed that the IMAP and SMTP would be exposed to the Internet.
 

msplsh

Aspiring Daemon

Reaction score: 224
Messages: 624

Depends on your threat model. For snooping, the SSL will protect any auth mechanism, although if it's just your client connecting, crank TLSv1 up to TLSv1.3 if it will support it. For the passwords at rest, again, this depends on client support. You can't switch to OAuth if your client does not support it.
 

VladiBG

Daemon

Reaction score: 584
Messages: 1,261

The guide is old it's not including many new features and changes in Postfix configuration and Dovecot.

It's OK to store the password hash with MD5. The actual authentication of the transmitting the HMAC-MD5 hash is done over the TLS1.2 or TLS1.3

It's NOT OK to store a plain password not or transmit such. It's better to use PostgreSQL for storing the virtual mailbox maps this will provide you an easy way to integrate PostfixAdmin to manage your users.
 

covacat

Aspiring Daemon

Reaction score: 324
Messages: 660

also make sure your ip reverse resolves and its not in one of the many 'blacklists'
large email providers (like msft) block ips declared by the owning isp as residential/dynamic/whatever
you can get your IP cleared but it is kind of painful
if you can send out thru your isp's server and not directly to recipient's MX life becomes easier
also there are still enough SMTP's servers that don't do TLS so you should support unencrypted smtp traffic
 

astyle

Daemon

Reaction score: 651
Messages: 1,462

A few things I'm not seeing in this thread: One is sendmail.cf, another is SpamAssassin. I set those up when I was setting up an email server on FreeBSD 6.0 for a small shop on one of my first jobs out of college. I don't see a need for postfix, but Dovecot is a good choice, IMHO. sendmail.cf is where you filter what gets added to the inbox file by outside connections. When I did the work, I made sure that stuff like unprintable characters or unresolvable IP's are not allowed. But beyond that - even if you set up your security to best practices of the day, you still gotta realize that there are scanners out there, in addition to legitimate emails, and connections WILL be noticeable. Kind of like setting a remote-controlled toy boat out in the sea.
 

obsigna

Daemon

Reaction score: 899
Messages: 1,295

Hi, I am reading this tutorial about setting up a home mail server with mail/postfix and mail/dovecot: https://forums.freebsd.org/threads/...r-with-tls-and-non-plain-authenticatio.42507/
It has been 8 years meanwhile so I am wondering if the configuration described there is still adequate in 2021?

More specifically, the author suggests using auth_mechanisms = cram-md5 and ssl_cipher_list = TLSv1+HIGH:!3DES:!CAMELLIA:!aNULL:@STRENGTH.
Should I maybe try to configure OAUTBEARER (Yahoo's IMAP uses for OAuth2 for example)?
My browser is currently using TLS 1.3 and 256 bit keys.

It is assumed that the IMAP and SMTP would be exposed to the Internet.
I was the author of that Howto, at that time I was @rolfheinrich.

Based on that tutorial, I wrote a new one on my BLog: https://obsigna.com/articles/1539726598.html

I still suggest cram-md5 as the authentication mechanism since this is what most e-mail clients do support. If you use something else, then make sure, that it is supported by the clients which are to be used with your mail server installation, otherwise it might happen that your wife mandates you to use WhatsApp instead of e-mail (although, this might happen anyway).

Regarding the password store, I would not suggest a database engine for a handful of users, it adds complexity which does not pay back.
 
OP
roccobaroccoSC

roccobaroccoSC

Aspiring Daemon

Reaction score: 226
Messages: 749

I was the author of that Howto, at that time I was @rolfheinrich.

Based on that tutorial, I wrote a new one on my BLog: https://obsigna.com/articles/1539726598.html

I still suggest cram-md5 as the authentication mechanism since this is what most e-mail clients do support. If you use something else, then make sure, that it is supported by the clients which are to be used with your mail server installation, otherwise it might happen that your wife mandates you to use WhatsApp instead of e-mail (although, this might happen anyway).

Regarding the password store, I would not suggest a database engine for a handful of users, it adds complexity which does not pay back.
Thank you for posting the tutorial!
A suggestion: Could you maybe add the link to the updated tutorial in the original post? It would help users like me searching for an up to date howto. That would be very helpful.

And regarding the email clients, TBH I will be the only user of that server. I will be using it as a kind of storage container for all my emails because I am sick of migrating emails from one client to another and then losing stuff in the process. I want to set up a mailbox on a host I control and then dump all my messages in that, back it up properly etc. I want to be able to use a variety of clients when I access that.
For years I have been a heavy mail/thunderbird user but now it has become so annoying way beyond the point of being unusable. So a switch to mail/evolution is long overdue.

And using WhatsApp instead of email - in another life maybe.
 

hruodr

Aspiring Daemon

Reaction score: 283
Messages: 896

And regarding the email clients, TBH I will be the only user of that server. I will be using it as a kind of storage container for all my emails because I am sick of migrating emails from one client to another and then losing stuff in the process.
Unfortunately UW Imap is not anymore mantained, but it is still in the source of alpine mail client.

It run out of the box, without (much) configuration, just served your mailbox to the outside.
Ideal for small servers. I have sendmail+cyrus, but cyrus is very complicated.
 

obsigna

Daemon

Reaction score: 899
Messages: 1,295

A suggestion: Could you maybe add the link to the updated tutorial in the original post?
Sorry, I can’t. Because of my stupidity, I lost the credentials of @rolfheinrich, then the account became deleted (therefore Anonymous), then I was able to create a new user @rolfheinrich, but this is no more linked to many of my messages.
 

msplsh

Aspiring Daemon

Reaction score: 224
Messages: 624

Regarding the password store, I would not suggest a database engine for a handful of users, it adds complexity which does not pay back.
I switched mine to SQLite so that it was easy to create a web-based admin interface. Made some short shell scripts with SQL in them for when I am at the command line. Bringing up something like Postgres though, I agree.
 
Top