Setup your own email server (MTA) on the cheap - part 7

All going well, this should be the last part of my posts about configuring Postfix as an MTA.

This configuration arose because I happened to be looking at my mail.log file while someone in the Ukraine was trying again and again to log in to my server. So, I installed Fail2Ban. Fail2Ban is a clever tool that watches the log files you configure and when suspicious activity is found, it uses iptables (a linux firewall) to block the source of traffic.

This tool is built for our setup so it’s relatively straight forward to setup:
1. Install Fail2Ban:
sudo apt-get install fail2ban 
2. In your favourite editor, create a file /etc/fail2ban/jail.local. This is where all the rules should be customised. Default rules are in jail.conf but these should be left (and will be updated in new versions) so customisation are all in your local file. This is the text I add to my jail.local file:

4. Finally, reload everything and you should be on your way
sudo service fail2ban restart

I’ve kept my configuration simple since smtp, smtps, and pop3s are the only services open to the public. If you have more, add configuration to enable these too. I also add the logpath because otherwise it looks for mail.warn which doesn't exist in my version.

That’s it. With this configuration my server has been working well, and by having SPF and DKIM we’re doing better than most email providers.

Big thanks to these sources:
https://importgeek.wordpress.com/2017/01/15/fail2ban-prevent-postfix-brute-force/

Setup Steps with links:
  1. Setup PostFix with email address forwarding
  2. Setup sending and use LetsEncrypt to secure the SMTP server 
  3. Setup SPAMAssassain so Gmail or Yahoo don’tblock us for passing on dodgy emails 
  4. Setup ClamAV to block viruses, these will get you blocked too 
  5. Setup DKIM using opendkim to check DKIM on incoming and sign our outgoing mail 
  6. Update sender addresses so SPF passes for forwarded messages 
  7. Use Fail2Ban to block brute force attempts on our server
Final notes:
After running my server for a few months, there are some tweaks I've made:
     1. I found the letsencrypt renewal logging hard to follow so I took more control by adding this line to my crontab:
0 0 1 * * /usr/bin/letsencrypt renew >> /var/log/letsencrypt/renew.log

   2. Freshclam had memory issues trying to update clamav yet ran fine manually. So I disabled the service and setup a cron job for this too:


sudo /etc/init.d/clamav-freshclam stop

sudo update-rc.d clamav-freshclam disable 
   Add this to crontab: 

0 */6 * * * /usr/bin/freshclam >> /var/log/clamav/freshclam.log
   3. To tidy up the logs, correct the hostname by running:
hostnamectl set-hostname mail.mydomain.com

Comments

Post a Comment

Popular posts from this blog

Sync iTunes with MythMusic

This is something I've been playing with for a while using various scripts but I think I'm now getting close to a good solution. It's a three stage process but its better than the 5+ steps I was doing. Here's what I'm doing now: Save the iTunes album art to the file system with iTSfv Copy the library to my MythTV PC with rsync in cygwin Copy my playlists with a nice perl script i found here: http://www.gossamer-threads.com/lists/mythtv/users/365416?page=last iTSfv is a nice tool which interfaces with iTunes and does various things to tidy up your library. One option is to "Export Artwork to Album folder as Folder.jpg". All you have to do is launch iTSfv and check this option, select all the tracks in your iTunes library and click Validate. It'll go through your library and place a nice jpg in the directory for all yout albums, which MythMusic will make use of. Then use rsync to sync the library to the music folder on the Media PC. I'm not goi
Read more

Using Homebridge and Broadlink RM Mini to automate

Image
In this post, I'll be documenting how I configured a Broadlink RM Mini to work with HomeKit using the Homebridge server I built in my last post . The Broadlink RM Mini is a small IR Blaster that sits on the coffee table and sends IR signals when requested. They're cheap, and they work: In hindsight, for a little more you can also get the RM Pro which (I found out later) includes a thermometer. I added a DS18D20 thermometer to my Raspberry Pi to get around this mess up. To start with, you'll need to unpack your RM Mini and get it setup on your network. To do this, you'll need to download their "e-Control" app and follow through the setup. There's a good summary of these steps here: https://spectrum.co.ae/blogs/technology/how-to-configure-broadlink-devices, you can just stop before step 5 if you don't plan to use the e-Control application. Now we need to add homebridge-broadlink-rm to our Raspberry Pi. Connect to the pi console, SSH or local
Read more

LetsEncrypt and AWS ELB Load Balancers

Image
This is something that I've struggled to find good information on. You've setup your IIS Web Servers in AWS, get them working nicely behind an ELB Load Balancer, now you want to apply a free LetsEncrypt SSL Certificate. This guide will take you through that process. Here's he basic run down: Design your Infrastructure to allow for a Central Validation Server Setup and IAM identity with access to manage your certificates Setup an initial certificate Apply the new certificate to a new ELB Re-generate the LetsEncrypt Certificate with a script to automatically update the ELB Certificate Design your Infrastructure to allow for a Central Validation Server One concept discussed in LetsEncrypt's Integration Guide  is a Central Validation Server. To abbreviate this considerably, this is setting up one of the servers to manage the certificates. Fortunately ELB2 presents the certificate to clients and it doesn't matter which certificate is presented by the server.
Read more