Design
Mail, mail ... "Currently, any novice user can get his own free e-mail box, just register on one of the Internet portals," says Wikipedia. So launching your own mail server for this is a bit strange. Nevertheless, I do not regret the month spent on this, counting from the day the OS was installed to the day the first letter was sent to the addressee on the Internet.
In fact, iptv receivers, and a single-board computer based on the Baikal-T1 processor, as well as Cubieboard, Banana Pi and other devices equipped with ARM microprocessors can be put on a par with "raspberries". "Malinka" was chosen as the most aggressively advertised option. It took more than one month to find at least some useful use for this “single-board computer”. Finally, I decided to run a mail server on it, having read a fantasy novel about virtual reality shortly before.
“This is a great vision for the future of the Web,” Wikipedia says about it. It has been 20 years since the first publication. The future has arrived. However, it doesn’t seem great to me without seven thousand subscribers, ten thousand rubles of “my site’s monthly income”, etc. Which, probably, pushed me towards “decentralized social networks” with “a meager number of likes under their (new users – N.M.) posts”, domain registration and launch of my own server.
I am not strong in laws. Unless a message came to the mobile phone about the need to confirm personal data in connection with the entry into force of amendments to federal law 126-FZ, I know such a law.
And then it turned out that these laws are like mushrooms after the rain. If I had continued to use free mail, I would probably not have known.
"And who are we now"
First, the organizer of the e-mail service is simply not in the law. There is an "instant messaging service organizer", but it's a little different. The addition “for personal, family and household needs” removes, of course, from this organizer all the obligations provided for by law, but nevertheless from the wrong organizer from which it is necessary.
Having at hand an Ubuntu Server manual on a par with the law, I guess that in addition to chats with their instant messages, "for receiving, transmitting, delivering and (or) processing electronic messages from Internet users" are also email services (which is obvious), and file servers (which is not so obvious).
Development
Compared to other articles here with the postfix hashtag, my creation is, of course, very primitive. No user authentication, no database, no users not tied to local accounts (the first and third are in the "minimal mail server"; the database is almost everywhere, just like dovecat).
“Configuring the mail system, in my opinion, is the most difficult task in system administration,” one habra user wrote very well. following (of ), but I did skip the parts about the alias database, .forward files, and virtual aliases.
But for ssl / tls I took 12 configuration lines plus 9 command lines for bash to create certificates from dedicated Postfix on CommunityHelpWiki (on the same domain ) (only does this ssl / tls work - that's the question). The firewall in the provider’s personal account, nat on the router were also useful (I put off setting up Mikrotik as much as possible; I sent letters by connecting the mail server directly to the ISP’s cable brought into the apartment), the commands mail, mailq, postsuper -d identifier, file /var/log/mail.log, the always_add_missing_headers parameter, information about the ptr-record, finally, the site mail-tester.com (with an oligophrenic design), which are not written about in the "mail" articles on Habré, as if they were taken for granted .
Before correcting the value of the myhostname parameter in the /etc/postfix/main.cf file
After correcting the value of the myhostname parameter in the /etc/postfix/main.cf file
The first email from the ISP's tech support taught me not to open emails with the mail console program so that they can then be opened and read with a familiar email client. Apparently, and this is not a problem "for novice admins."
On the contrary, in the comments (to other articles with the postfix hashtag), one Habr user asks “to complicate things a bit, what about web interfaces to different parts and authentication from the database”, for another “apparently, it is the most difficult for those who have not tried anything sweeter than radish: kernel crashes, security (selinux/apparmor), slightly distributed systems…”, a third writes about “iRedmail script”. So you are waiting for the next one to offer to write about IPv6.
Email services, on the other hand, are not spherical horses in a vacuum, they are parts of the whole - from choosing a computer and a domain name to setting up a router - which no manual for setting up a mail server can cover (and in which you will probably never read the materiel - , available on the official Postfix website).
About Mikrotik - so generally a separate song.
OK it's all over Now. E-mail has ceased to be a set of console commands, configuration files (including dns settings), logs, documentation, hexadecimal numbers instead of Russian letters (according to the koi8-r character table) in the received letter and has remained a familiar mail client with its imap, pop3, smtp protocols, accounts, incoming and sent messages.
In general, outwardly the same as e-mail when using free e-mail services from the largest IT companies.
Even without a web interface.
Exploitation
Still, there is no escape from viewing the logs!
I hasten to please those who expected to read about the darknet here. Because I can’t call anything other than manifestations of some mysterious darknet what the mail log of the newly minted server turned out to be, namely, within a couple of days (after connecting directly) with messages about attempts to connect via pop3 under different names from a couple of ip addresses ( At first I mistakenly thought that this server periodically tries to send two letters from the queue, but I didn’t assume that my mail could be of interest to someone else from the Internet at once).
These attempts did not stop even after I connected the server through a router. Today's logs are full of smtp connections from the same ip-address unknown to me. Nevertheless, I am so self-confident not to take any action against this: I hope that even if the username is correctly selected to receive emails, the attacker will not be able to guess the password. I'm sure many will find this unsafe, just as today's attacks rely solely on SMTP relay settings and access control in /etc/postfix/main.cf.
And they will smash the protection of my mail to smithereens.
Source: habr.com