mailserver-addendum.org (6005B)
1 #+options: ':nil *:t -:t ::t <:t H:3 \n:nil ^:{} arch:headline 2 #+options: author:t broken-links:nil c:nil creator:nil 3 #+options: d:(not "LOGBOOK") date:t e:t email:nil f:t inline:t num:t 4 #+options: p:nil pri:nil prop:nil stat:t tags:t tasks:t tex:t 5 #+options: timestamp:t title:nil toc:t todo:t |:t 6 #+HTML_HEAD: <link rel="stylesheet" type="text/css" href="../css/terminal.css" /> 7 #+HTML_HEAD: <script src="../scripts/main.js" integrity="sha384-__SHASUM__"></script> 8 #+HTML_HEAD: <link rel="shortcut icon" type="image/x-icon" href="/res/favicon.ico"> 9 #+language: en 10 #+select_tags: export 11 #+exclude_tags: noexport 12 #+creator: Emacs 27.1 (Org mode 9.3) 13 #+options: html-link-use-abs-url:nil 14 #+options: html-scripts:nil html-style:nil 15 #+options: html5-fancy:nil tex:t 16 #+html_doctype: xhtml-strict 17 #+html_container: div 18 #+description: 19 #+keywords: 20 #+html_link_home: 21 #+html_link_up: 22 #+html_mathjax: 23 #+html_head: 24 #+html_head_extra: 25 #+subtitle: 26 #+infojs_opt: 27 #+creator: <a href="https://www.gnu.org/software/emacs/">Emacs</a> 27.1 (<a href="https://orgmode.org">Org</a> mode 9.3) 28 #+latex_header: 29 #+options: toc:nil 30 31 32 #+TITLE: In Addition to Luke Smith's Mail Configuration Video 33 #+AUTHOR: Ryan Jeffrey 34 #+EMAIL: ryan@ryanmj.xyz 35 #+DATE: <2020-09-16 Wed> 36 #+OPTIONS: num:nil 37 38 __PROMPT__ cat posts/mailserver-addendum.html 39 40 I used [[https://youtu.be/9zP7qooM4pY][Luke Smith's video on setting up an email server]], and although it got me 90% of the way there, I encountered a couple of snags that he was able to avoid for whatever reason. 41 42 43 * Port 25 44 By default the well-known port 25 (SMTP) is blocked on Vultr. They do this to minimize the amount of spam that comes from their servers. You can verify that this is the problem by: 45 46 #+begin_src shell 47 journalctl | grep 'timed out' -i 48 #+end_src 49 50 If the output has the number `25' it is safe to assume that this is the problem (I fixed this problem months ago, so I don't have any sample output to show you. Sorry!). You can fix it by opening up a ticket with Vultr's support, simply ask them to unblock the port. 51 52 * Reverse DNS 53 I just attempted to submit a patch to the GNU project today only to have my mail rejected because I had not set up a reverse DNS entry with Vultr. It's not uncommon for mailservers to reject your mail for this. To set up reverse DNS: 54 55 ** ipv4 56 - Go to products->instances->your-server-settings->ipv4 and simply add your domain name (like ~ryanmj.xyz~) on the column that says "reverse DNS". 57 ** ipv6 58 - Go to the ipv6 settings 59 - Copy the address under the "network" column and take note of the "netmask" number. 60 - run: 61 #+begin_src shell 62 sipcalc network_addr/netmask_number 63 #+end_src 64 65 Replace network_addr with your copied address, and replace netmask_number with the number under "netmask". 66 67 It will give you something that looks like this: 68 #+begin_src 69 [ryan@Springfield ~]$ sipcalc 2001:19f0:5:3b2d::/64 70 -[ipv6 : 2001:19f0:5:3b2d::/64] - 0 71 72 [IPV6 INFO] 73 Expanded Address - 2001:19f0:0005:3b2d:0000:0000:0000:0000 74 Compressed address - 2001:19f0:5:3b2d:: 75 Subnet prefix (masked) - 2001:19f0:5:3b2d:0:0:0:0/64 76 Address ID (masked) - 0:0:0:0:0:0:0:0/64 77 Prefix address - ffff:ffff:ffff:ffff:0:0:0:0 78 Prefix length - 64 79 Address type - Aggregatable Global Unicast Addresses 80 Network range - 2001:19f0:0005:3b2d:0000:0000:0000:0000 - 81 2001:19f0:0005:3b2d:ffff:ffff:ffff:ffff 82 83 - 84 #+end_src 85 86 Copy the ipv6 address on the top row of "Network range" and place a colon, then replace the numbers at the end with a number in the appropiate range. For example, my chosen address is: ~2001:19f0:5:3b2d::2~. 87 88 - Add a reverse DNS entry in Vultr with your chosen ipv6 as the ip address and your domain name as the entry. 89 90 91 * fail2ban 92 While trying to fix a tiny problem with by server I encountered dozens of lines like this in ~journalctl~: 93 94 #+begin_src 95 Sep 15 11:36:54 underground postfix/smtps/smtpd[32284]: warning: unknown[212.70.149.68]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 96 Sep 15 11:37:00 underground postfix/smtps/smtpd[32284]: lost connection after AUTH from unknown[212.70.149.68] 97 #+end_src 98 99 These logs would come in every 2 minutes, it appears that someone is using a script to hack the server. 100 101 To fix this, I use ~fail2ban~, a service that puts IP's associated with too many failed login attempts into a jail (essentially a timeout area). It can also block IP's completely. 102 103 Once you install the package: 104 105 #+begin_src shell 106 cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local 107 #+end_src 108 109 And apply this patch to ~/etc/fail2ban/jail.local~: 110 111 #+begin_src diff 112 --- /etc/fail2ban/jail.conf 2018-01-18 13:49:01.000000000 +0000 113 +++ /etc/fail2ban/jail.local 2020-09-16 00:10:44.888473433 +0000 114 @@ -51,7 +51,7 @@ 115 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban 116 # will not ban a host which matches an address in this list. Several addresses 117 # can be defined using space (and/or comma) separator. 118 -#ignoreip = 127.0.0.1/8 ::1 119 +ignoreip = 127.0.0.1/8 ::1 120 121 # External command that will take an tagged arguments to ignore, e.g. <ip>, 122 # and return true if the IP is to be ignored. False otherwise. 123 @@ -60,7 +60,7 @@ 124 ignorecommand = 125 126 # "bantime" is the number of seconds that a host is banned. 127 -bantime = 10m 128 +bantime = 1h 129 130 # A host is banned if it has generated "maxretry" during the last "findtime" 131 # seconds. 132 @@ -244,7 +244,8 @@ 133 port = ssh 134 logpath = %(sshd_log)s 135 backend = %(sshd_backend)s 136 - 137 +maxretry = 3 138 +enable = true 139 140 [dropbear] 141 142 @@ -541,6 +542,7 @@ 143 port = smtp,465,submission 144 logpath = %(postfix_log)s 145 backend = %(postfix_backend)s 146 +enabled = true 147 148 149 [postfix-rbl] 150 @@ -638,7 +640,7 @@ 151 # "warn" level but overall at the smaller filesize. 152 logpath = %(postfix_log)s 153 backend = %(postfix_backend)s 154 - 155 +enabled = true 156 157 [perdition] 158 159 #+end_src 160 161 Then, start the service: 162 163 #+begin_src shell 164 systemctl enable fail2ban 165 systemctl start fail2ban 166 #+end_src 167 168 169 Your mailserver should now be good to go. Happy mailing!