| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| wiki:debianmailserver [2024/08/30 14:59] – [Remote Encrypted Container Mount Assistance] va1der | wiki:debianmailserver [2024/09/28 01:29] (current) – va1der |
|---|
| **// | **// |
| |
| Say Goodbye to Google, you're setting up the cadilac of e-mail systems. With it you can host many domains worth of email, give yourself and your family and friends the best vanity addresses in the world, swoop in to save the day for clubs and organizations who don't have the expertise or cash, and do it all on a small budget. You don't need all that much in the way of a server to accomplish it. | Say Goodbye to Google, you're setting up the Cadilac of e-mail systems. With it you can host many domains worth of email, give yourself and your family and friends the best vanity addresses in the world, swoop in to save the day for clubs and organizations who don't have the expertise or cash, and do it all on a small budget. You don't need all that much in the way of a server to accomplish it. |
| |
| There are easier virtual domain e-mail solutions, like [[https://mailinabox.email/|Mail-in-a-box]], but these can hide too much of the engine. Their design decisions and nuts-and-bolts are often poorly documented, leaving it difficult to add pieces, and almost impossible to change components. | Doing it this way is setting up a lot of moving parts. So first think about whether you perhaps want a more turn-key solution like [[https://mailinabox.email/|Mail-in-a-box]]. |
| |
| However doing it this way is setting up a lot of moving parts. Even following these instructions you can expect this to take a few days. | That said, at the end of this process you will have an email server you knowv inside and out, one you can add arbitrary domains to, one that is very secure from outside access and which is even somewhat secure from internal (VPS host) access. |
| | |
| That said, at the end of this process you will have an email server you can add arbitrary domains to, one that is very secure from outside access and which is even somewhat secure from internal (VPS host) access. | |
| |
| ---- | ---- |
| ====== Requirements ====== | ====== Requirements ====== |
| You will need the following: | You will need the following: |
| - **Static IP address with PTR (reverse DNS) capability.**\\ If you don't have a genuine static IP address from a provider that is willing to put in a reverse DNS PTR record, then don't attempt this. Period. Without it your email just won't be deliverable. Most VPS providers that give you a static IP will set up a PTR, though mine required me to send them my photo ID. | - **Static IP address with PTR (reverse DNS) capability.**++☛|**(**A reverse DNS PTR record is required for deliverability. Outgoing emails from your server will end up in the spam folders or jsut be dropped outright forever by every major email player without a reverse DNS name that matches your forward DNS name. If you don't have a genuine static IP address from a provider that is willing to put in a reverse DNS PTR record, then don't attempt this. Period. Most VPS providers that give you a static IP will set up a PTR, though mine required me to send them my photo ID.**)**++ |
| - **A shiny new domain name and the ability to control the DNS for it.**\\ The instructions below assume you are going to self-host your own DNS, but that requires you to have two unique IP addresses and a domain provider who will make the glue records for you. You don't have to self-host your DNS, but you will need a registrar that gives you good control of your DNS. You need one real domain that you own. Every other domain you host only needs to put an MX record on their DNS to say you are handling their email. | - **A shiny new domain name and the ability to control the DNS for it.**++☛|**(**The instructions below assume you are going to self-host your own DNS, but that requires you to have two unique IP addresses and a domain provider who will make the glue records for you. You don't have to self-host your DNS, but you will need a registrar that gives you good control of your DNS. You need one real domain that you own. Every other domain you host only needs to put an MX record on their DNS to say you are handling their email. [[https://www.pairdomains.com/|Pair Domains]] is one registrar I can recommend as giving exceptional (and free) DNS control right with your domain.**)**++ |
| - **Actual server "hardware".**\\ I personally use a VPS with 2 cores, 80GiB of space, and 4GiB of RAM. Many of my design decisions are specifically tailored to reducing memory and CPU footprint. The first VPS I ran back on Debian 7 had half a core (one core shared between two VPSs) and 1GiB of RAM. This is still a feasible setup. | - **Server.**++☛|**(**A physical or Virtual Private Server. Going with a VPS is the common solution. Experience showed a VPS with ½ core (one core shared between two VPSs), 1GiB RAM and 10GiB storage is a feasible minimal server for a small one or two domain setup. Something more robust would be 2 cores, 4GiB RAM, 40GiB storage. Many of the design decisions here are specifically tailored to reducing memory and CPU footprint.**)**++ |
| - **A workstation.**\\ This probably goes without saying, but you'll need a computer to work from to build this. On it you'll need: | - **A workstation with:** |
| - WireGuard "client" | - WireGuard "client" |
| - SSH - a good modern one with scp capability and sntrup761x25519 support. That means OpenSSH (9+), TinySSH (20210601+), or for Windows, PuTTY (0.78+) / WinSCP (6.2+) | - SSH Either OpenSSH (9+) or, for Windows, PuTTY (0.78+) / WinSCP (6.2+) |
| - **Watchdog computer**\\ It isn't an //absolute// requirement, but for the internal security portion (where we encrypt the server's mail and database storage) we need a watchdog computer. By that what is meant is an always-on always-on computer, one that is hopefully inside your local LAN and which you can trust implicitly. It needs to be able to perform periodic checks (ie: cron). A spare OpenWRT router/device is an eminently great, energy efficient, and cheap solution. | - **Watchdog computer/device**++☛|\\**(**It isn't an //absolute// requirement, but for the internal security portion (where we encrypt the server's mail and database storage) we need a watchdog computer. By that what is meant is an always-on always-on computer, one that is hopefully inside your local LAN and which you can trust implicitly. It needs to be able to perform periodic checks (ie: cron). A spare OpenWRT router/device is an eminently great, energy efficient, and cheap solution.**)**++ |
| |
| ---- | ---- |
| |
| ===== Considerations ===== | ===== Considerations ===== |
| | Some of the design considerations which may need a little explanation: |
| |
| **Web Server:** The decision to go with Lighttpd has been revisted several times in the iterations leading up to this one. Lighttpd is in the significant minority of installations today. Nginex is slightly more performant on high-resource systems, but Lighttpd is still by far the best way to squeeze every megabyte out of your server. If you are running on a VPS and are paying for every megabyte, then Lighttpd is the way to go. That said, it hasn't always been the easiest choice, and might mean a learning curve for you in the future when you add pieces. Many instructions ust assume you're going to be using Apache or Nginex. | **Web Server:** This design uses Lighttpd. Lighttpd is one of Debian's three officially supported web servers, but today is in the significant minority of installations. The decision to continue with Lighttpd has been revisited several times in the iterations leading up to this one. While it is true that Nginex is slightly more performant on high-resource systems, Lighttpd is still by far the best way to squeeze every megabyte out of your server. If you are running on a VPS and are paying for every megabyte, then Lighttpd is the way to go. |
| |
| **DKIM:** OpenDKIM is the DKIM provider most people think of. But it [[https://sourceforge.net/projects/opendkim/files/|hasn't been updated]] //since// Debian 7 in 2015. A new player in town is dkimpy-milter, a switch made with the previous, Debian 11, iteration and it has performed excellently. Even if it is written in Python. ;-) | **DKIM:** OpenDKIM is the DKIM provider most people think of. But it [[https://sourceforge.net/projects/opendkim/files/|hasn't been updated]] //since// Debian 7 in 2015. A new player in town is dkimpy-milter, a switch made with the previous, Debian 11, iteration of this procedure, and it has performed excellently. Even if it is written in Python. ;-) |
| |
| **Packaging:** A major design consideration has been to avoid the use of any third party package/dependency systems (Composer, PyPI, Go-anything, etc). Some projects, like RoundCube, have officially adopted Composer as their plugin distribution mechanism. This has no place on a production server, which is what we're making here. All modules, libraries, and plugins are either supplied by Debian packages or are vetted and manually downloaded. | **External Packaging:** A major design consideration has been to avoid the use of //any// third party packaging/dependency systems (Composer, PyPI, Go-anything, etc). Some projects, like RoundCube, have officially adopted Composer as their plugin distribution mechanism. This has no place on a production server, which is what we're making here. All modules, libraries, and plugins are either supplied by Debian packages or are vetted and manually downloaded. |
| |
| |
| |
| ====== Procedure ====== | ====== Procedure ====== |
| We are starting here from the point where you have a brand new VPS you are starting up for the first time. Even if you've already been using your server for some time, you may want to read these steps. | We are starting from the point where you have a brand new VPS you are starting up for the first time. Even if you've already been using your server for some time, you may want to read these initial steps. |
| |
| NOTE: Command-lines below assume the use of ''%%joe%%'' as my a text editor. It's a bit more old school than ''%%nano%%'', so feel free to adjust to your preferences. | NOTE: Command-lines below assume the use of ''%%joe%%'' as a text editor. It's a bit more old school than ''%%nano%%'', so feel free to adjust to your preferences. |
| |
| ===== Phase 1 - Batten the Hatches (External Security) ===== | ===== Phase 1 - Batten the Hatches (External Security) ===== |
| You've got a shiny new VPS or server. Your first consideration is to secure it. András Stribik said it best when he said "my goal with this .. is to make NSA analysts sad". This is absolutely our goal. | You've got a shiny new VPS or server. Your first consideration is to secure it. The goal here, in the words of András Stribik, is to make NSA analysts sad. |
| | |
| | Security goals: |
| | - 256-bit level security throughout (ie: <m>2^256</m> operations to crack). |
| | - All keymat transfers (including session keys) protected by crypto as strong as the security level of the keymat. 256-bit keymat should never be transported without being protected by crypto that matches its security level |
| | - Post-Quantum safe |
| | - Redundant security - SSH over WireGuard |
| |
| If your VPS provider is like mine, you'll start with a remote console using something like VNC-over-https. First order of business, make sure you've got nothing listening on your server, and if there is, and you haven't yet ensured it's secure, then shut it down. Take a look at what's listening: | If your VPS provider is like mine, you'll start with a remote console using something like VNC-over-https. First order of business, make sure you've got nothing listening on your server, and if there is, and you haven't yet ensured it's secure, then shut it down. Take a look at what's listening: |
| ==== Encrypted Container Remote Mount ==== | ==== Encrypted Container Remote Mount ==== |
| |
| The whole point of the watchdog is to enable it to mount the server's encrypted container when the server reboots. We're going to do this with SSH. The password for the encrypted container and also the sudo password for a sudo-capable user (it might as well be your main user) are both going to be sent over SSH. Put them in files on the watchdog: | The whole purpose of the watchdog is to enable it to mount the server's encrypted container when the server reboots. We're going to do this with SSH. The password for the encrypted container and also the sudo password for a sudo-capable user (it might as well be your main user) are both going to be sent over SSH. Put them in files on the watchdog: |
| # touch /root/admin/etc/<SERVERNAME>_container /root/admin/etc/<SERVERNAME>_control | # touch /root/admin/etc/<SERVERNAME>_container /root/admin/etc/<SERVERNAME>_control |
| # chmod 600 /root/admin/etc/<SERVERNAME>_container /root/admin/etc/<SERVERNAME>_control | # chmod 600 /root/admin/etc/<SERVERNAME>_container /root/admin/etc/<SERVERNAME>_control |
| |
| The server name used for subsequent examples will be "QRO". Make sure you change accordingly. | The server name used for subsequent examples will be "QRO". Make sure you change accordingly. |
| Once the passwords | |
| |
| ====== References ====== | ====== References ====== |
