From owner-freebsd-questions@FreeBSD.ORG Wed Sep 5 16:01:50 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B023116A421 for ; Wed, 5 Sep 2007 16:01:50 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.freebsd.org (Postfix) with ESMTP id 4670E13C45D for ; Wed, 5 Sep 2007 16:01:50 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from TEDSDESK (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.13.8/8.13.8) with SMTP id l85G0vNU056542; Wed, 5 Sep 2007 09:00:58 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Jim Stapleton" Date: Wed, 5 Sep 2007 09:01:20 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <80f4f2b20709050354q4d186df4y6958e2f81d5dfc66@mail.gmail.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1896 Cc: Nikola Lecic , "Russell E. Meek" , freebsd-questions@freebsd.org Subject: RE: mail server setup questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2007 16:01:50 -0000 > -----Original Message----- > From: Jim Stapleton [mailto:stapleton.41@gmail.com] > Sent: Wednesday, September 05, 2007 3:55 AM > To: Ted Mittelstaedt > Cc: Nikola Lecic; Russell E. Meek; freebsd-questions@freebsd.org > Subject: Re: mail server setup questions > > > > Jim posted here asking for help, using words and language that > > gives serious doubt that he is competent to run a mailserver > > of any kind. > > Knowledgeable and competant are two different things. If I were not > competant, I would not bother attempting to get that knowledge that I > lack. > Of course. The fact you posted at all indicates your aware that competence is learned and that you want to become competent. A far more admirable attitude than the people that assume that everyone is completely competent at everything and calling someone incompetent is the same as calling them a baby-killer. > I don't know the nitty gritty details about exactly what and how mail > servers are encrypted. > I don't know all the nitty gritty details about how everything talks > and intercommunicates. > I do know that that any time a password goes over the internet (not > just LAN) it needs to be encrypted as securly as possible. Only if there is a possiblity that the communication channel can be tapped. The phrase "going over the Internet" is so broad as to be completely meaningless. You can mean just about everything from completely unencrypted wireless to an untappable OC3 between providers. Most password cracking takes place on the client - all the encryption in the world won't protect you from clueless users who click on URLs in e-mails they get. > I do know that mail (and other) servers should live in jails. They can if you want. However I have never done so and never had a mailserver rooted. Of course, I have kept stuff reasonably up to date - that is the other part of the issue. In any case running in a jail does not really address the biggest problems with mailservers - their hijacking by spammers and other criminals. By definition a mailserver transfers mail. Putting it's programs in a jail does not make it cease to transfer mail. If such mail transfer happens between the people you want it to happen between, then great. But if you misconfigure the stuff you have jailed, the mailserver will happily transfer mail between the people you don't want it transferring mail from and everyone else. > I do know not to run an open relay (take email from any server to > deliver to any server, without authentication, and plan to achieve > this by only allowing incoming mail). I would submit you think you do. For example, are you planning on putting a webmail interface on the server? A lot of people do. Well if you do and you put a scrap of CGI on there that has a hole in it a spammer can come along and cause that to relay mail from incoming http right into your mail queue. He doesen't need root access to do this. > I do know that there is no such thing as too much paranoia when > setting up a server. Then you know 90% of what you need to know. Ted