site

Website's source files.
Log | Files | Refs | LICENSE

mailserver-addendum.org (6005B)

      1 #+options: ':nil *:t -:t ::t <:t H:3 \n:nil ^:{} arch:headline
      2 #+options: author:t broken-links:nil c:nil creator:nil
      3 #+options: d:(not "LOGBOOK") date:t e:t email:nil f:t inline:t num:t
      4 #+options: p:nil pri:nil prop:nil stat:t tags:t tasks:t tex:t
      5 #+options: timestamp:t title:nil toc:t todo:t |:t
      6 #+HTML_HEAD: <link rel="stylesheet" type="text/css" href="../css/terminal.css" />
      7 #+HTML_HEAD: <script src="../scripts/main.js" integrity="sha384-__SHASUM__"></script>
      8 #+HTML_HEAD: <link rel="shortcut icon" type="image/x-icon" href="/res/favicon.ico">
      9 #+language: en
     10 #+select_tags: export
     11 #+exclude_tags: noexport
     12 #+creator: Emacs 27.1 (Org mode 9.3)
     13 #+options: html-link-use-abs-url:nil
     14 #+options: html-scripts:nil html-style:nil
     15 #+options: html5-fancy:nil tex:t
     16 #+html_doctype: xhtml-strict
     17 #+html_container: div
     18 #+description:
     19 #+keywords:
     20 #+html_link_home:
     21 #+html_link_up:
     22 #+html_mathjax:
     23 #+html_head:
     24 #+html_head_extra:
     25 #+subtitle:
     26 #+infojs_opt:
     27 #+creator: <a href="https://www.gnu.org/software/emacs/">Emacs</a> 27.1 (<a href="https://orgmode.org">Org</a> mode 9.3)
     28 #+latex_header:
     29 #+options: toc:nil
     30 
     31 
     32 #+TITLE: In Addition to Luke Smith's Mail Configuration Video
     33 #+AUTHOR: Ryan Jeffrey
     34 #+EMAIL: ryan@ryanmj.xyz
     35 #+DATE: <2020-09-16 Wed>
     36 #+OPTIONS: num:nil
     37 
     38 __PROMPT__ cat posts/mailserver-addendum.html
     39 
     40 I used [[https://youtu.be/9zP7qooM4pY][Luke Smith's video on setting up an email server]], and although it got me 90% of the way there, I encountered a couple of snags that he was able to avoid for whatever reason.
     41 
     42 
     43 * Port 25
     44 By default the well-known port 25 (SMTP) is blocked on Vultr. They do this to minimize the amount of spam that comes from their servers. You can verify that this is the problem by:
     45 
     46 #+begin_src shell
     47 journalctl | grep 'timed out' -i
     48 #+end_src
     49 
     50 If the output has the number `25' it is safe to assume that this is the problem (I fixed this problem months ago, so I don't have any sample output to show you. Sorry!). You can fix it by opening up a ticket with Vultr's support, simply ask them to unblock the port.
     51 
     52 * Reverse DNS
     53 I just attempted to submit a patch to the GNU project today only to have my mail rejected because I had not set up a reverse DNS entry with Vultr. It's not uncommon for mailservers to reject your mail for this. To set up reverse DNS:
     54 
     55 ** ipv4
     56 - Go to products->instances->your-server-settings->ipv4 and simply add your domain name (like ~ryanmj.xyz~) on the column that says "reverse DNS".
     57 ** ipv6
     58 - Go to the ipv6 settings
     59 - Copy the address under the "network" column and take note of the "netmask" number.
     60 - run:
     61 #+begin_src shell
     62 sipcalc network_addr/netmask_number
     63 #+end_src
     64 
     65 Replace network_addr with your copied address, and replace netmask_number with the number under "netmask".
     66 
     67 It will give you something that looks like this:
     68 #+begin_src 
     69 [ryan@Springfield ~]$ sipcalc 2001:19f0:5:3b2d::/64
     70 -[ipv6 : 2001:19f0:5:3b2d::/64] - 0
     71 
     72 [IPV6 INFO]
     73 Expanded Address        - 2001:19f0:0005:3b2d:0000:0000:0000:0000
     74 Compressed address      - 2001:19f0:5:3b2d::
     75 Subnet prefix (masked)  - 2001:19f0:5:3b2d:0:0:0:0/64
     76 Address ID (masked)     - 0:0:0:0:0:0:0:0/64
     77 Prefix address          - ffff:ffff:ffff:ffff:0:0:0:0
     78 Prefix length           - 64
     79 Address type            - Aggregatable Global Unicast Addresses
     80 Network range           - 2001:19f0:0005:3b2d:0000:0000:0000:0000 -
     81                           2001:19f0:0005:3b2d:ffff:ffff:ffff:ffff
     82 
     83 -
     84 #+end_src
     85 
     86 Copy the ipv6 address on the top row of "Network range" and place a colon, then replace the numbers at the end with a number in the appropiate range. For example, my chosen address is: ~2001:19f0:5:3b2d::2~.
     87 
     88 - Add a reverse DNS entry in Vultr with your chosen ipv6 as the ip address and your domain name as the entry.
     89 
     90   
     91 * fail2ban
     92 While trying to fix a tiny problem with by server I encountered dozens of lines like this in ~journalctl~:
     93 
     94 #+begin_src 
     95 Sep 15 11:36:54 underground postfix/smtps/smtpd[32284]: warning: unknown[212.70.149.68]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
     96 Sep 15 11:37:00 underground postfix/smtps/smtpd[32284]: lost connection after AUTH from unknown[212.70.149.68]
     97 #+end_src
     98 
     99 These logs would come in every 2 minutes, it appears that someone is using a script to hack the server.
    100 
    101 To fix this, I use ~fail2ban~, a service that puts IP's associated with too many failed login attempts into a jail (essentially a timeout area). It can also block IP's completely. 
    102 
    103 Once you install the package:
    104 
    105 #+begin_src shell
    106   cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    107 #+end_src
    108 
    109 And apply this patch to ~/etc/fail2ban/jail.local~:
    110 
    111 #+begin_src diff
    112 --- /etc/fail2ban/jail.conf     2018-01-18 13:49:01.000000000 +0000
    113 +++ /etc/fail2ban/jail.local    2020-09-16 00:10:44.888473433 +0000
    114 @@ -51,7 +51,7 @@
    115  # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
    116  # will not ban a host which matches an address in this list. Several addresses
    117  # can be defined using space (and/or comma) separator.
    118 -#ignoreip = 127.0.0.1/8 ::1
    119 +ignoreip = 127.0.0.1/8 ::1
    120 
    121  # External command that will take an tagged arguments to ignore, e.g. <ip>,
    122  # and return true if the IP is to be ignored. False otherwise.
    123 @@ -60,7 +60,7 @@
    124  ignorecommand =
    125 
    126  # "bantime" is the number of seconds that a host is banned.
    127 -bantime  = 10m
    128 +bantime  = 1h
    129 
    130  # A host is banned if it has generated "maxretry" during the last "findtime"
    131  # seconds.
    132 @@ -244,7 +244,8 @@
    133  port    = ssh
    134  logpath = %(sshd_log)s
    135  backend = %(sshd_backend)s
    136 -
    137 +maxretry = 3
    138 +enable = true
    139 
    140  [dropbear]
    141 
    142 @@ -541,6 +542,7 @@
    143  port    = smtp,465,submission
    144  logpath = %(postfix_log)s
    145  backend = %(postfix_backend)s
    146 +enabled = true
    147 
    148 
    149  [postfix-rbl]
    150 @@ -638,7 +640,7 @@
    151  # "warn" level but overall at the smaller filesize.
    152  logpath  = %(postfix_log)s
    153  backend  = %(postfix_backend)s
    154 -
    155 +enabled = true
    156 
    157  [perdition]
    158 
    159 #+end_src
    160 
    161 Then, start the service:
    162 
    163 #+begin_src shell
    164 systemctl enable fail2ban
    165 systemctl start fail2ban
    166 #+end_src
    167 
    168 
    169 Your mailserver should now be good to go. Happy mailing!