DevHeads.net

ODMR/ATRN ?

I'd very much like to move my (Postfix) mail server, which currently resides
on a (static IP) end-luser broadband line, to some VM in the cloud someplace,
and then use something like fetchmail to poll that periodically to pull
down all mail for my several domains and then have fetchmail re-inject
all of those mail messages into the local Postfix. The plan would be to
get all this running and then give up my local static IP here, exchanging
it for a dynamic one instead. (This will save me a tiny bit of money on
my monthy local ISP bill.)

Googling for options just now, it sure sounds like ODMR/ATRN would fit
my needs nicely, however I can't quite make out whether any of this
ODMR/ATRN stuff has ever actually been implemented in Postfix or not.
Has it been?

Regardless of whether it has or not, if anyone wants to suggest or recommend
any alternative solution(s) I'm all ears. I am open to anything that
will get the job done. My only real requirements for a solution are:

1) Must support unlimited email addresses per each recipient domain.

2) Must preserve envelope sender information.

In general, speed is not an issue, but security most certainly is.

That having been said, I am not eager to use Jakob Hirsh's odmrd because
that SMTP server is written in Perl, and I've been known to be DDoS'd
from time to time. So I'm loath to leave anything written in Perl running
on any outward facing port. It's just way too easy for an attacker to
run the CPU usage up to 100% and keep it there if one does so.

Looking forward to info on Postfix support for ODMR or alternatives thereto.

Regards,
rfg

Comments

Re: ODMR/ATRN ?

By Darren Pilgrim at 06/12/2019 - 17:37

On 2019-06-09 13:42, Ronald F. Guilmette wrote:
I use authenticated SMTP for this. Each cloud VM has two postfix instances:

One is the MX:
- low-security opportunistic TLS
- spam filtering
- envelop validation using relay_domains and relay_recipient_maps

The other is the authenticated SMTP relay:
- mandatory TLSv1.3 with private EC PKI
- permit_tls_clientcerts only
- soft_bounce=yes
- long maximal_queue_lifetime
- per-destination transports for defer_transports granularity

Re: ODMR/ATRN ?

By Wietse Venema at 06/09/2019 - 18:28

Ronald F. Guilmette:
What about setting up a tunnel between home (dynamic IP) and cloud
(static IP)? Could be a VPN, or SSH.

Wietse

Re: ODMR/ATRN ?

By Ronald F. Guilmette at 06/09/2019 - 19:13

In message < ... at spike dot porcupine.org>,

In a word, yea. That exact light just came on over my little noggin.

If I can figure out how to make that work, I think that will be THE
solution.

I just need to find some tool... some something... that will *transparently*
proxy all of the inbound port 25 traffic that comes in to the cloud VM
server machine to some other IP address... some other IP address that
will in fact be dynamic and changing, over time. (And yes, I understand
that dynamic DNS is likely to be helpful here.)

So, what tool should I use to do this transparent TCP proxying?

I guess that I need to go a googling.

Regards,
rfg

Re: ODMR/ATRN ?

By Wietse Venema at 06/10/2019 - 10:12

Ronald F. Guilmette:
HaProxy for inbound mail. Postfix supports their protocol.

For outbound, you need an MTA on the static IP address.

Wietse

Re: ODMR/ATRN ?

By Antonio Leding at 06/09/2019 - 19:15

I think you want this tool that Chris mentioned earlier…

<a href="http://www.haproxy.org" title="http://www.haproxy.org">http://www.haproxy.org</a> <http://www.haproxy.org/>

Re: ODMR/ATRN ?

By Wietse Venema at 06/09/2019 - 18:29

Wietse Venema:
Plus a transport_maps setting on the cloud side that routes mail
into the tunnel.

Wietse

Re: ODMR/ATRN ?

By Ronald F. Guilmette at 06/09/2019 - 19:21

In message < ... at spike dot porcupine.org>,

Wait.... WHAT???

Just when I thought I had it all figured out, you go and confuse the
livin' bejesus outta me.

The idea is that there is going t be only *one* intance of Postfix,
and it will be -actually- running down on my machine at home. And
the cloud VM will just be transparently proxying TCP/25 back and forth
to/from that, so that it will look to the outside world AS IF my (one)
local Postfix instance here is actually running up on that cloud server.

That was what I *thought* that idea was anyway.

If so, then there simply will be *no* separate instance of Postfix running
"on the cloud side", either independently configurable or otherwise. (So
your comment above makes no obvious sense.)

Regards,
rfg

Re: ODMR/ATRN ?

By cvandesande at 06/09/2019 - 19:32

You can of course do this, and it will work.

The only reason to run a separate Postfix would be in case your home
server becomes unavailable, then the cloud VM will spool (hang onto)
your message(s) until your home server becomes available again, and as
soon as it's back it will deliver the messages it held.

On 10/06/2019 00:21, Ronald F. Guilmette wrote:

Re: ODMR/ATRN ?

By Ronald F. Guilmette at 06/09/2019 - 20:23

In message <63da273b-f850-5900-a151- ... at opendmz dot com>,

Ok, so just to be sure I am clear about all of this...

If I try to do this trivally simple transport maps solution (I mean instead
of having a whole separate TCP proxy) then in that case the Postfix instance
that will be running up on my cloud VM -will- spool incoming mail, and will
just hold on to it, as necessary, until whatever should be responding to
smtp:my-dynamic-fqdn starts answering its SMTP port again, yes?

Regards,
rfg

Re: ODMR/ATRN ?

By cvandesande at 06/09/2019 - 20:31

Yes absolutely correct.

If your sever at home is online then it will pass through your cloud VM in mere seconds. If your home server is offline then it will continue trying to deliver at intervals....which you can also configure.
As soon as it successfully delivers the message it will be purged from the spool.

Re: ODMR/ATRN ?

By Ronald F. Guilmette at 06/09/2019 - 21:37

In message <64994169-2C87-4029-9C31- ... at opendmz dot com>,

Perfect. Just perfect.

Thank you Postfix! Thank you Wietse! Thank you everybody! This is
going to be simpler than I had anticipated, I think. (Knock on wood.)

I do have just a couple of small lingering concerns... things that just
now occurred to me. These relate to dynamic DNS, which I've never actually
used before myself, but which I nontheless have a sort of vague conceptual
understanding of.

As I understand it, you get yourself your own private FQDN, which is
assigned to you by whatever dynamic DNS provider you choose. And then,
each time your machine gets itself a fresh new DHCP lease, it needs to
send that address, in some manner, to the DDNS provider which will then
update the relevant A record based on your new dynamic IP. Is that a
fair summary?

Assuming so, I have two questions about this...

Well, make that one question. (I just answered my own first question,
which was "Yeabut, what if my whole local network is actually behind my
ASUS SOHO WiFi router and what if it is my router intself that is, in
the first instance, getting the DHCP lease?" Apparently, some ASUS
router models, including mine, fortunately, have an in-built DDNS client,
and that in-built DDNS client can, allagedly, work wth both ASUS's own
free DDNS service and also, allegedly, with the one provided by noip.com...
and possibly also others for all I know. So, no problem here! This will
work.)

So, here is my only other question:

Assuming the setup, as discussed here so far, where I'll have a Postfix
instance running on a cloud VM, and where that Postfix instance will have
an appropriate set of entries in transport_maps to cause that Postfix
intance to try to send all mail it has received for my domains on to:

smtp:my-dynamic-fqdn

What happens in this scenario when and if there is a power failure that
takes down my whole network, including my router?

Let's say that the the dynamic IP that I *was* using, just before the
power fail, was a.b.c.d. The question is: While I am wandering around
with my flashlight in the dark, what if some other customer of my ISP
happens to request a DHCP lease and also happens to get a.b.c.d ... which
is possible, because after all, *I* am not using that specific IP address
anymore, so it will have been returned to the DHCP free pool.

In this scenario, could that other party who got a.b.c.d, dynamically,
turn on a mail server and begin sucking down *my* emails from *my* cloud
VM Postfix instance?

I guess that another way of asking this might be: Does DDNS have any sort
of "keep alive" signal that, if it goes dark suddenly, will result in
revocation of the relevant DDNS name-to-address mapping?

I know. I know. I should probably be asking about these DDNS details
someplace else. And I probably shall. But since all you folks here
already know exactly what I'm trying to do, and why, and how, it's just
easier to start here.

If what I have described is in fact a plausible and serious potential
security issue, then I guess that rather than using plain old SMTP to
move messages from my VM Postfix to my home Postfix, maybe I should
instead be looking for some alternative transport protocol that verifies
that the receiving node is actually one that *I* own and control... yes?

Does any such thing exist?

Regards,
rfg

Re: ODMR/ATRN ?

By Wietse Venema at 06/10/2019 - 10:23

Ronald F. Guilmette:
Alternatives:

- Use a tunnel (ssh port forwarding, or vpn) which is initated
by the home machine. This sidesteps any dynamic DNS issues.

- On the cloud MTA, require certificate authentication, so that
it will not send mail to the wrong 'home' server.

Wietse

Re: ODMR/ATRN ?

By Tom Hendrikx at 06/10/2019 - 05:00

On 10-06-19 03:37, Ronald F. Guilmette wrote:
You can add TLS verification to your postfix client in the cloud. The
client will only deliver to a server when it presents a specific SSL
certificate to the client during the handshake. See
<a href="http://www.postfix.org/TLS_README.html#client_tls_policy" title="http://www.postfix.org/TLS_README.html#client_tls_policy">http://www.postfix.org/TLS_README.html#client_tls_policy</a>

Re: ODMR/ATRN ?

By Ronald F. Guilmette at 06/10/2019 - 14:32

In message <86defb20-c153-63ee-d8ef- ... at whyscream dot net>,

Perfect. Thank you. Didn't know about that. But I sure will be trying
to get it working.

Regards,
rfg

Re: ODMR/ATRN ?

By Wietse Venema at 06/09/2019 - 19:10

Wietse Venema:
See also http//www.postfix.org/STANDARD_CONFIGURATION_README.html,
specifically the sections that describe a) a mail firewall and b)
a primary MX for a remote site.

Wietse

Re: ODMR/ATRN ?

By Antonio Leding at 06/09/2019 - 18:33

Just thinking out loud here but because you would want to harden the cloud server in any case, I’m not sure what having a VPN gets you if also using IMAPS and SMTP + SSL between the cloud and the client. I guess one could argue that if you forget to set the SSL on the client side, you’re still covered but not seeing any other benefit.

Please clarify what I am missing if anything…

Re: ODMR/ATRN ?

By Wietse Venema at 06/09/2019 - 18:53

Antonio Leding:
I understand that Ron wants to run Postfix on a static IP addres
in the cloud, but he does not want to store his email there, so
that rules out IMAP.

Wietse

Re: ODMR/ATRN ?

By Ronald F. Guilmette at 06/09/2019 - 19:46

In message < ... at spike dot porcupine.org>,

Yes. Exactly.

The more I think about this (transparent TCP/25 proxying) idea, the more
I think it ought to work. I just have to find teh Right proxy software.

Somebody mentioned haproxy and I'm looking at that now. It might do the
job.

The problem will be convincing it to dynamically -change- the one and only
-other- IP address that it is proxying traffic to/from based on dynamic
changes to some (dynamic) DNS FQDN. If it can be coerced into doing that
then I think this will work.

So anyway, that will be a total solution for the inbound side. My outbound
mail will have to be handled entirely separately. For that, I'll have to
use someone else's smarthost, or else roll my own, which is easy enough
to do, I think.

If I get this all working, I'll have to do some modest write-up on it.
I already have a title!

How To Run An SMTP Server on a Dynamic Line AND Get Away With It

:-)

Regards,
rfg

Re: ODMR/ATRN ?

By Antonio Leding at 06/09/2019 - 19:52

Chris is the one who mentioned it (haproxy) and FWIW, based on the requirements you’ve stated in this thread, Chris’s setup seem to be pretty almost exactly what you want to do.

In case it got overlooked, I include the key EM here:

### BEGIN ###

I have 3 instances of postfix running (because I travel) but this can
work with 2.
1 server in the cloud, 2 locally one home one office.

The 2 local postfix instances only accept public email from the cloud
VM, but they accept local email (ipcam's, for example on the LAN).

The MX record points to the cloud VM, should it pass the spam test then
the 'clean' email is relayed to 1 of the 2 local postfix servers.
The local servers then deliver to a local Dovecot, where I access my
email from a local private IP on the LAN.

Think of the flow like this.

public email > Cloud VM (postscreen/rspamd test passes) > local Postfix
Whichever local Dovecot received the message with replicate to the other
site.

I think of it this way, the email is coming from the public internet, so
scan it while it's out on the public internet.

If it passes the test, then it's considered 'good enough' to be
delivered to one of the local servers.

Internal email like ipcam's, server emails never leave the local LAN
(except to be replicated to the other local site).

Hope that makes sense.

Chris.

### END ###

Re: ODMR/ATRN ?

By Kevin A. McGrail at 06/09/2019 - 16:56

Well, first, my firm's commercial Raptor anti-pam solution supports
smarthosting for outbound and inbound on an alternate port.  Add any
dynamic DNS solution and you are good to go.  Plus you get the best
business anti-spam solution.  Happy to chat more about pricing. 

But that leads to my answer.  You can just setup a box on a VM with a
static IP and do smtp authentication for smarthosting through that box
and use it as a relay for your domain on an alternate port using Dynamic
DNS.  No need for fetchmail or anything like that.

Regards,
KAM

On 6/9/2019 4:42 PM, Ronald F. Guilmette wrote:

Re: ODMR/ATRN ?

By Ronald F. Guilmette at 06/09/2019 - 18:18

In message <8154118f-d266-aec3-4a6d- ... at PCCC dot com>,

Thank you, but I need to be frank. VM slices are less expensive than
water these days. And also, I'm the world's biggest cheapskate. So I
do believe that I will be rolling my own solution in this instance. But
thanks anyway.

I believe that I understand fully how to handle my outbound email traffic,
i.e. treating my (soon to be) cloud VM running Postfix as a "smarthost"
for outbound. That part is the easy part, and also the simple part.

The harder part is handing the inbound email traffic for my several domains.

I *think* that I *may* perhaps understand your suggestion with regards to
that, but I'll have to think about it awhile longer before I can be sure.

I wish that I had an example to look at, or some slightly-more-detailed
write-up to refer to that would show me how to configure this exact approach
with Postfix.

But if worse comes to worse, I can probably puzzle it all out, starting from
just what you said, above.

One part that I'm sure that I -do not- understand is why you suggeted an
alternative port number. Can you explain?

Also, I've never set up any Postfix instance to be a relay before, ever,
so I'm hoping that there is a README available on that specific topic (and
I'll be googling for that any second now.)

The only other thing I can say for now is that although I understand how
MXs and their priorities work, I'm really still not too clear on how I would
get mail to go to the (static IP) cloud VM Postfix instance most or all of
the time, in the first instance, and -then- get all of that stuff to flow,
afterwards, to the (secondary) Postfix that I have running out at the dynamic
FQDN... when that machine is actually online.

Regards,
rfg

Re: ODMR/ATRN ?

By Kevin A. McGrail at 06/09/2019 - 19:21

On 6/9/2019 6:18 PM, Ronald F. Guilmette wrote:
I thought you were Ronald?  :-)

Almost every residential ISP will block ports like 25 and 80 so you
can't run servers on the connections.  You have a static IP and usually
that means they don't block ports.  When you switch away from that
solution, I expect you will see that change.

So you have a domain, tristatelogic.com.

- You get a VM on AWS w/CentOS. 
- You put an Elastic IP on it so it is static. 
- You create a security group that allows 25 and 22 from /0 inbound to
the box
- You create an A record called mail.tristatelogic.com pointed to the IP
- You open a ticket with AWS for the reverse pointer for the box and to
remove smtp throttling
- You mail.tristatelogic.com to accept relay mail for the domain
tristatelogic.com. 
- Setup SMTP Auth so that someone has to authenticate to send email outbound
- Setup a transport to deliver mail for tristatelogic.com to
local.tristatelogic.com on port 2525

At your home:

- Setup your postfix server so it works like you want called something
like local.tristatelogic.com
- Configure/Purchase a Dynamic DNS service so that something like
ronald.dyndns.something is a CNAME for local.tristatelogic.com so that
your mail works when your ISP changes your IP
- On the firewall at your house, port forward an alternate port such as
2525 to 25 on the postfix server on a static internal IP behind your
firewall
- Setup postfix on local.tristatelogic.com to smarthost with SMTP auth
through mail.tristatelogic.com

Also recommend on both local and mail boxes, you install Let's Encrypt
certs so you can require TLS for all the mail going between
mail.tristatelogic.com and local.tristatelogic.com.  You'll also get
opportunistic TLS for places that support it.

This will let you have inbound and outbound mail working from a server
on a residential grade connection.

As a homework exercise for the reader will be picking better names for
the boxes.  I suggest disney characters, firefly | star (trek|wars)
canon or dilbert characters.  ratbert and dilbert would get at least a
B+ from me.

Regards,

KAM

Re: ODMR/ATRN ?

By Ronald F. Guilmette at 06/09/2019 - 20:14

In message <40a97779-669c-e145-e3ec- ... at PCCC dot com>,

I'm not too sure about that.

*Outbound* port 25, yes. Lots of providers of end-luser lines do block
that, as they most certainly should... with some exceptions.

But for my outbound mail, that's not an issue. I plan to have my mail
client just give stuff (on 587) directly to -somebody's- smarthost...
either my own or somebody else's.

With regards to *inbound* traffic with IP dest set to 25 or 80... I don't
think that most providers give a rat's ass about that... except maybe
Comcast, who may indeed block it, just as a way of extorting even more
money out of their victims for "upgrades" to "business class" service.
But I don't think my provider is one of the ones that plays those games.

I guess I'll find out, soon enough.

Re: ODMR/ATRN ?

By cvandesande at 06/09/2019 - 20:19

Don't forget since you're essentially sending the email from one of your servers to another you can use any port you want on your home side...inbound 25 blocked? No prob use 10025 on your transport_map or any unblocked port you want.

On June 10, 2019 12:14:39 AM UTC, "Ronald F. Guilmette" < ... at tristatelogic dot com> wrote:

Re: ODMR/ATRN ?

By Ronald F. Guilmette at 06/09/2019 - 20:33

In message <7AB4D739-2CA7-4D75-9520- ... at opendmz dot com>,

OK. Good tip. I may need to use that. Thank you.

And just so I'm clear... the syntax for the spec that I would be putting
into transport_maps in that case would look something like this then?

smtp:home-dynamic-fqdn:2525

Or is that too many colons?

Re: ODMR/ATRN ?

By cvandesande at 06/09/2019 - 20:35

Syntax looks good to me.

On June 10, 2019 12:33:01 AM UTC, "Ronald F. Guilmette" < ... at tristatelogic dot com> wrote:

Re: ODMR/ATRN ?

By Antonio Leding at 06/09/2019 - 16:55

Hey rfg,

Just curious…any reason to not use use the could-based Postfix server + something like Dovecot and then have your clients access that directly? I have this now for at least 20 domains and it works awesome.

I’m not understanding why the need to relay the mail to your local Postifix instance…I’m sure there is a good reason but I’m just not seeing as yet…

Re: ODMR/ATRN ?

By Ronald F. Guilmette at 06/09/2019 - 17:29

In message <0100016b3e069855-f95cf3e2-9649-4a55-8290-24a9d44f80cc- ... at email dot

Firstly, I have no idea what you mean by "could-based Postfix". Was that
a typo? What did you mean, actually?

Secondly, in answer to what I think your question was... security. I'm
not keen to have -any- of my mail piling up for any lenth of time on some
cloud server that I don't have complete and -physical- control over.
Paranoid? You bet.

My plan... if I can figure out a way to do it... will be to have a Postfix
instance running on some cloud VM someplace (with static IP, of course)
and use that for inbound and outbound (smarthost), and meanwhile set up
something like fetchmail here on my home system to pull down all of the
pending inbound message for all of my domains, say, every 120 seconds
or so. That way nothing will actually stay on the cloud server for very
long, and if anyone manages to break into that, they won't find much in
the way of my confidential emails, because the lifetime of each (stored)
message there will typically be very very short. (Maybe Hillary Clinton
should have been so careful! :-)

I have tried to explain my thought process.

Now that I have done so, I feel sure that someone will explain to me, very
logically, why I am a blithering idiot. That's OK, as long as I learn
something in the process.

Regards,
rfg

Re: ODMR/ATRN ?

By Antonio Leding at 06/09/2019 - 18:00

Hi rfg,

What did I mean by cloud-based postfix:

—> When you said “…"to some VM in the cloud someplace…”, I did presume you meant a Postfix server in the cloud…like on an AWS VM or similar…

Security:

—> With some VMs, you will have complete root-level rights on the server and can do what you wish in terms of server security. In terms of NW security, that will depend of course on the cloud\hosting provider that you happen to use. I use AWS which gives me a lot of NW control…for example, I have a low-cost FW on the front end of my Postfix box and then I also do a few things locally on the actual server all coming together to provide security for my email infrastructure.

In terms of a accessing my email, I just configure IMAP on my client and point it to my Postfix + Dovecot server. This is very similar to many email accounts one might setup using IMAP. No local Postfix server or fetchmail required. Also, you do have the option of keeping the mail in the cloud or transfer it to your local machine. In the latter case however, one thing you would lose is being able to access that mail from any device you wish.

I understand - and share - your concerns re: cloud-based mail security but those issues are manageable if proper infosec is implemented…

Re: ODMR/ATRN ?

By Ronald F. Guilmette at 06/09/2019 - 18:58

In message <0100016b3e41b455-b95a3601-7822-4541-823a-6230f277bf1b- ... at email dot
amazonses.com>, Antonio Leding < ... at leding dot net>wrote:

Yes. Quite. And believe me, I would -never- waste time on or trust in
even the smallest way any VM that I DID NOT have root on.

I already do have one VM "slice", and yes, I do have root on that.

Traditionally, through the past 30+ years, and until quite recently, I've
never placed -any- trust in any machine that I did not have immediate
phsysical proximity to. And even now, I still view remote cloud servers
with great skepticism, security-wise. The revelations, over that past
year or so, of the multiple entire *waves* of x86 CPU security flaws...
many of which still remain to be patched... have only underscored and
reinforced my original skepticism. Having root on a VM is hardly
insurance against anything, and wasn't, even before anyone even knew
about all of these CPU bugs. How the hell do I know who has access
to my storage volumes if they are in a data center a thousand miles
away from me, being tended by people who I have never even met?

So I approach remote VMs very very cautiously, and unlike various
corporations that have jumped headlong onto the cloud bandwagon with
both feet, I personally put as little of my data as possible on such
things. And even then, you won't catch me putting anything on there that
would cause me real problems if the data were exposed to the entire
planet.

Call me paranoid. Call me a luddite. But I sleep soundly at night.

I disagree, and I believe that I even have evidence to the contrary.

Anybody working in that same data center, or who has either direct or
remote admin access to the whole thing can image your entire drive
anytime they want.... and perhaps without you even knowing that it
happened. We all hope that hosting company personnel won't go around
doing this, willy nilly, or in lieu of a court order, but there are no
guarrantees.

Even though I may disagree with you about the security of cloud VMs, I'm
still very glad that you spoke up anyway, because you've made me think
a bit more about the problem I'm trying to solve, and I've just realized
that there may perhaps be a whole different way to skin this cat.

The bottom line is that really, I just want a (another) remote VM *only*
(or primarily) for its static IP address... a static IP that's needed,
generally although not necessarily absolutely, in order to run a mail
server.

Sooooooo... maybe what I really should be trying to figure out is how
I can run a -single- instance of Postfix, down here on my (soon to be
dynamic) end-luser broadband line, and just set up a VM at some fixed
IP address that will be running some sort of a VPN or something that
will just be, in effect, transparently proxying all of the inbound port
25 traffic to my (soon to be dynamic) DSL line.

Will this work? Is anybody doing this already? If so, how do I set it
all up?

Regards,
rfg

Re: ODMR/ATRN ?

By Antonio Leding at 06/09/2019 - 19:03

Couple things - last one first…

The static —> dynamic mapping…I would dig into what Wietse said earlier…VPN. If you merely want to have a static IP just act as basically a front-end for your local dynamic setup, then that’s the ticket…

As to the local errant could-tech imaging your HDD, totally agreed…but again, manageable via on-disk encryption…

Regardless, I understand your concern\fears re: putting that much faith in a location\hardware\people you cannot directly touch\manage\talk-to…makes total sense but as I’m sure you’d agree, we all have our varying levels of comfort and thresholds…

Re: ODMR/ATRN ?

By PauAmma at 06/09/2019 - 17:53

On Sun, June 9, 2019 9:29 pm, Ronald F. Guilmette wrote:
I'm guessing "could" is a typo (or perhaps autocorrection) for "cloud".

Re: ODMR/ATRN ?

By Antonio Leding at 06/09/2019 - 18:00

AHHH - yes, thank you Paul - I did mean “cloud” based Postfix…

Re: ODMR/ATRN ?

By cvandesande at 06/09/2019 - 18:12

Maybe something like I'm doing?

I have 3 instances of postfix running (because I travel) but this can
work with 2.
1 server in the cloud, 2 locally one home one office.

The 2 local postfix instances only accept public email from the cloud
VM, but they accept local email (ipcam's, for example on the LAN).

The MX record points to the cloud VM, should it pass the spam test then
the 'clean' email is relayed to 1 of the 2 local postfix servers.
The local servers then deliver to a local Dovecot, where I access my
email from a local private IP on the LAN.

Think of the flow like this.

public email > Cloud VM (postscreen/rspamd test passes) > local Postfix
Whichever local Dovecot received the message with replicate to the other
site.

I think of it this way, the email is coming from the public internet, so
scan it while it's out on the public internet.

If it passes the test, then it's considered 'good enough' to be
delivered to one of the local servers.

Internal email like ipcam's, server emails never leave the local LAN
(except to be replicated to the other local site).

Hope that makes sense.

Chris.

On 09/06/2019 23:00, Antonio Leding wrote:

Re: ODMR/ATRN ?

By Ronald F. Guilmette at 06/09/2019 - 19:02

In message <36fd5ad1-7757-6e52-0640- ... at opendmz dot com>,

Yes, yes, and yes. This definitely sounds a lot like what I want to
do. I've just never set up Postfix as a relay before, so I haven't
even been thinking in those terms, because I don't even know how to do
this... yet.

Thanks for the suggestion. I have a lot of reading to do.

Regards,
rfg

Re: ODMR/ATRN ?

By cvandesande at 06/09/2019 - 19:11

Have a look at Postfix "transport maps" I think Weitse already suggested
it and it's what I'm using.

It's just a one liner config file.

This is mine:

$ cat /etc/postfix/transport_maps
# Mail to anyone at opendmz.com is sent via SMTP to haproxy
opendmz.com smtp:haproxy:10025

The haproxy is an unnecessary layer of complication I added, but it
could just as easily be your home IP.
I'm using dynamic DNS in case my home IP changes, but it hasn't changed
in over 3 years now!

for example:

opendmz.com smtp:my-home-ip.dyndns.org:25

On 10/06/2019 00:02, Ronald F. Guilmette wrote:

Re: ODMR/ATRN ?

By Ronald F. Guilmette at 06/09/2019 - 20:03

In message <14936220-5b2f-e44a-2f3a- ... at opendmz dot com>,

Wow! My head is spinning!

I confess that I didn't "get it" at all when Wietse mentioned
transport maps, but I *think* I am just starting to get it now.

So, basically, I can do what I want to do without even introducing
the extra layer of complexity of -any- separate TCP proxy, yes?

Assuming so, this is getting easier and easier by the minute!

If all I really need to do is to put my own personalized version of
the one-liner you posted (above) into /etc/postfix/transport_maps,
then all I can say is "Thank you Postfix!! Thank you Wietse!!"

I can't wait to try this. I'm off now to do just that. It'll take
me awhile. I have to buy a fresh new VM, install an OS and Postfix
on it, set up dynamic DNS for my home machine, read up on how get my
SOHO router to do this fancy-schamncy port forwarding thing (for SMTP
traffic), configure and/or reconfigure two sets of Postfix .cf files,
and then reboot everything in sight and run some tests.

Wish me luck.

Regards,
rfg

Re: ODMR/ATRN ?

By Antonio Leding at 06/09/2019 - 20:05

Good luck…you’ll get it figured... :=)

Re: ODMR/ATRN ?

By Antonio Leding at 06/09/2019 - 18:19

Hi Chris,

Not being critical but really just want to understand why you architected it the way you did…

Are your local PF boxes behind a more secure border than your cloud based PF server? I understand the SPAM part of the design — or I think I do :=) — it seems like you just feel more comfortable performing SPAM analysis in the cloud vs. inside your border…but curious in terms of other infosec…

Also, did you implement pinholes on your local side so you can access mail from different locations or just opt to not have that flexibility?

Re: ODMR/ATRN ?

By cvandesande at 06/09/2019 - 18:31

Ha be critical if you want, I don't mind at all :P

The main reason was reliability, as someone who's always
breaking/rebuilding but also hosts their own email, I needed the email
to spool somewhere in case I broke something for more than a few days.

The local PF boxes are behind home NAT connections with whichever
firewall I felt like trying out at the time. More secure? I don't know
maybe/hopefully?

Having the spam check done on the cloud for the same reasons. Every time
I broke the server running the spam filter, it was like opening the
flood gates :D

For flexibility there's another element I didn't bother to mention...

The same cloud VM runs haproxy which will loadbalance IMAPS connections
back to either of the 2 local Dovecot sites. So I always have access to
my email wherever I happen to find myself.

Chris.

On 09/06/2019 23:19, Antonio Leding wrote:

Re: ODMR/ATRN ?

By Antonio Leding at 06/09/2019 - 18:38

Just practicing the Au-rule…treat other as… :=)

I would definitely agree NAT buys some security via obscurity…cheap, fairly easy, and does help to a degree. So with the haproxy, am I understanding correctly that it will spin up (or already has running) IMAP back to your local site for when you’re say, on the Int’l Space Station, and need to get email?

Kinda cool...

Re: ODMR/ATRN ?

By cvandesande at 06/09/2019 - 18:48

Yeah exactly,

The local instances also don't need to listen on the standard TCP ports,
since they are always only getting email from the cloud VM. So the
firewalls whitelist the cloud VM's IP and the email is coming in via
non-standard ports so I don't have a horde of botnets trying to deliver
garbage to my local Postfix/Dovecot sites. The cloud VM gets the
pleasure of dealing with that.

It's a little unusual but it's worked for me for a couple of years now. 
Private DNS points "mail.opendmz.com" to a local IP, and public DNS
points to the cloud where Haproxy is always listening and will proxy the
IMAP connection back to one of the local sites (again, non-standard
ports and whitelisted IP)

It's nowhere perfect but I don't know what is.

On 09/06/2019 23:38, Antonio Leding wrote:

Re: ODMR/ATRN ?

By Antonio Leding at 06/09/2019 - 18:49

Yeah - good stuff…I like it…

I checked out the haproxy site and am conjuring ways to put it to use…very cool...Thanks…