[techtalk] Hi.I'm new.Postfix/mail server questions...

[Penguina]

Hi Elizabeth!  As an also-ignored newcomer, I'll welcome you.

On Mon, 21 May 2001, Elizabeth wrote:

> Hello.  I've been lurking for a bit.  I don't remember if I actually
> mailed anything to this group yet.  I realy wanted to when that one
> chick was going on about the security breach.  oooh boy.  I got ignored
> out one of the perl groups, because I came off too arrogant or
> something.  Which is funny, because one of the three virtues of a
> programmer is hubris.  So the creator of Perl says.  :-)  I kind of
> agree....to a degree.  In any case.  I didn't want to make the same
> mistake, so I tried to hold back.

What was prettyphysicslady's mistake?  It wasn't speaking up, it was
making idle threats to intruders she wasn't able to actually track
down, for the great and heinous crime of scanning her ports. It was
throwing her toys over well-known linux boot features, asserting that
they are 'vulnerabilities' (as if physical access to any machine wasn't
automatically a vulnerability).  And finally, it was doing all this
while running a host of services with known vulnerabilities, ports
open and ready to be exploited all over the place.  Sheer foolishness.

Imagine a pimply-faced pale sunken-chested teenager
stomping into a biker bar and start loudly insulting
then threatening the clientele...with her peashooter.
Imagine that same pimply-faced teenager being unceremoniously
ejected from this uh...establishment by said bikers.

The same teenager probably wouldn't have had the same
problem if she hadn't started insulting and threatening
the clientele.  If she'd said, "uh, excuse me, but could
you please direct me to the closest pharmacy?" it would
have been a little different.

> er...What was my point?  Oh yes.
> Mail.
>
> I'm administering a server and creating the back-end to a website.
> Let's see...how to explain my set-up...hehe.   The actual server is...I
> think...still at the store.  There's a test server that's in the project
> leader's apartment that I configured for ssh access, but the ip isn't
> resolving right.  Something to do with the pl's isp.  It works I leave
> it over there...alone...and it doesn't work anymore.  It's going to be
> brought over here.  hm...  Let's just ignore that one.

is it on a static ip number, or is it dial-in with a dhcp-assigned number?
who did you register the domain with?  who did you make your primary and
secondary servers?  are you the admin on the primary and secondaries or
do you have to call up network solutions and give them a bloody tune-up
every time you want to add another name to the same ip (which NS claims
is "illegal" -- funniest thing I heard all day -- the very reason why I
only name machines as primaries and secondaries that I also administer)?
what do the whois records look like?  You don't have to answer me or the
list, but you will need to answer these questions for yourself before
venturing on to your mail configuration.  Just go through them one by
one, and write down the answer to each in a bound notebook -- everything
but the passwords.

> The one I've been doing most of my testing on is here in my apartment.
> It has the latest and greatest Debian release (I know, I know, not good,
> but it's only a test server.  The real server will have the latest
> *stable*). I'm running Postfix as the mailer.  If I have this right,
> it's simply an MTA.  If I were to have more users I would need an IMAP
> or POP server.  I've heard of Cyrus as an IMAP.  It seems pretty
> straight forward, I guess, but I would like a little advice.

See?  That's a lot different than stomping into a biker bar and
threatening the patrons with a pea-shooter. a LOT different!

Anyway, the one thing I tended to try to pay attention to last time
I set up a mailer was making sure just about nobody was able to use
it as a mail relay--nobody except for people with legitimate accounts,
coming in from known locations.  ISP's that handle dial-ins often only
allow those hosts to which they have issued an IP number through DHCP
to relay mail.  Otherwise, they would have a spam-o-matic relay site
on their hands.  To let other people come in from the web, whom you
can't authenticate as easily on the basis of an IP number which You
Yourself Have Assigned -- it's a little harder to control who uses it,
and abuse of such sites is rife.   I used to get a lot of spam relayed
through zzn, for example, until I just set the rules on my sendmail.cf
to simply reject all e-mail from that domain.  Choosy mother, aren't I?

> The web site will offer email.  I'm not quite sure yet if it'll be
> available for anyone or if the addresses will be set up by admin.  In
> either case I am extremely reluctant to have any kind of web user have
> shell access.  I don't even want them to have an /etc/passwd entry.

They don't need a shell if you're running a pop or imap server -- just
put /usr/bin/false in the shell entry of /etc/passwd and they just won't
have a shell (unless they can override the contents of the null shell,
in which case you're rooted anyway).  You will want to make sure that
your security patch level on your mail server daemon is up-to-date,
since it's one of the things you'll be exposing to the outside world.

There are a couple other things you can do, like having a separate
group for each user, so that even if say, group write permissions gets
set for one critical utility using a group number that just happens
to correspond to a user...it won't immediately be a group write free-
for-all for *all* users.  Just that one.

> plan on having to only set up this server once and do fine-tuning for a
> little bit, but after that leaving it completely alone.  I reeealy don't
> want anyone (even their "admin") to have too much access to the server.
who does?  this is so reasonable it hurts...

> seems that IMAP would be better to use in this case, but there doesn't
> seem to be a lot of choices.  A lot of people seem to be using pop.
> Which one?  I've read a little about it, but again...there's nothing
> realy concrete.  I don't want anything fancy.

imap is better than pop in that it makes it easier for users to
manage several different accounts more easily.

whichever you choose, keep your security patch levels up to date.

One thing that cuts down the chance of being hacked into from
a random location is to know the domain name that each mail
user is going to be coming in from -- and restrict access to
the pop-or-imap-daemon to just those domains.

For instance, user A always gets his mail after dialling in to
his ISP xtra.co.nz and user B gets her mail after dialing in
to clear.net.nz.

In general, you won't know their IP number or fully qualified host
name every time they come in if those things are dynamically assigned
every time they dial into their ISP.  BUT you do know what domain
they're coming in from.  If you're going to have a *small* number
of users, you can restrict use of the popd or imapd port to, say,
xtra.co.nz and clear.net.nz through hosts.allow.

While this won't
prevent people who might be trying to hack in from xtra.co.nz or
clear.net.nz, it does exclude people coming in from all other
domains in the world.  Reduces the risk more than just leaving
your popd ports (and everything else) just hanging open in the
breeze...which believe you me, is not a pretty site!

>
> Thanks,
> Elizabeth
>
> Ps...um...did I mention I drink too much coffee?
>

Switch to gin.  It will help.

Cheryl