Links


Homepage

Home

Blog

Blog

Files

Files

git

Git Server

Email me

Contact Me

ryan@themainframe cat posts/mailserver-addendum.html

I used Luke Smith's video on setting up an email server, and although it got me 90% of the way there, I encountered a couple of snags that he was able to avoid for whatever reason.

Port 25

By default the well-known port 25 (SMTP) is blocked on Vultr. They do this to minimize the amount of spam that comes from their servers. You can verify that this is the problem by:

journalctl | grep 'timed out' -i

If the output has the number `25' it is safe to assume that this is the problem (I fixed this problem months ago, so I don't have any sample output to show you. Sorry!). You can fix it by opening up a ticket with Vultr's support, simply ask them to unblock the port.

Reverse DNS

I just attempted to submit a patch to the GNU project today only to have my mail rejected because I had not set up a reverse DNS entry with Vultr. It's not uncommon for mailservers to reject your mail for this. To set up reverse DNS:

ipv4

  • Go to products->instances->your-server-settings->ipv4 and simply add your domain name (like ryanmj.xyz) on the column that says "reverse DNS".

ipv6

  • Go to the ipv6 settings
  • Copy the address under the "network" column and take note of the "netmask" number.
  • run:
sipcalc network_addr/netmask_number

Replace network_addr with your copied address, and replace netmask_number with the number under "netmask".

It will give you something that looks like this:

[ryan@Springfield ~]$ sipcalc 2001:19f0:5:3b2d::/64
-[ipv6 : 2001:19f0:5:3b2d::/64] - 0

[IPV6 INFO]
Expanded Address        - 2001:19f0:0005:3b2d:0000:0000:0000:0000
Compressed address      - 2001:19f0:5:3b2d::
Subnet prefix (masked)  - 2001:19f0:5:3b2d:0:0:0:0/64
Address ID (masked)     - 0:0:0:0:0:0:0:0/64
Prefix address          - ffff:ffff:ffff:ffff:0:0:0:0
Prefix length           - 64
Address type            - Aggregatable Global Unicast Addresses
Network range           - 2001:19f0:0005:3b2d:0000:0000:0000:0000 -
			  2001:19f0:0005:3b2d:ffff:ffff:ffff:ffff

-

Copy the ipv6 address on the top row of "Network range" and place a colon, then replace the numbers at the end with a number in the appropiate range. For example, my chosen address is: 2001:19f0:5:3b2d::2.

  • Add a reverse DNS entry in Vultr with your chosen ipv6 as the ip address and your domain name as the entry.

fail2ban

While trying to fix a tiny problem with by server I encountered dozens of lines like this in journalctl:

Sep 15 11:36:54 underground postfix/smtps/smtpd[32284]: warning: unknown[212.70.149.68]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 15 11:37:00 underground postfix/smtps/smtpd[32284]: lost connection after AUTH from unknown[212.70.149.68]

These logs would come in every 2 minutes, it appears that someone is using a script to hack the server.

To fix this, I use fail2ban, a service that puts IP's associated with too many failed login attempts into a jail (essentially a timeout area). It can also block IP's completely.

Once you install the package:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

And apply this patch to /etc/fail2ban/jail.local:

--- /etc/fail2ban/jail.conf     2018-01-18 13:49:01.000000000 +0000
+++ /etc/fail2ban/jail.local    2020-09-16 00:10:44.888473433 +0000
@@ -51,7 +51,7 @@
 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses
 # can be defined using space (and/or comma) separator.
-#ignoreip = 127.0.0.1/8 ::1
+ignoreip = 127.0.0.1/8 ::1

 # External command that will take an tagged arguments to ignore, e.g. <ip>,
 # and return true if the IP is to be ignored. False otherwise.
@@ -60,7 +60,7 @@
 ignorecommand =

 # "bantime" is the number of seconds that a host is banned.
-bantime  = 10m
+bantime  = 1h

 # A host is banned if it has generated "maxretry" during the last "findtime"
 # seconds.
@@ -244,7 +244,8 @@
 port    = ssh
 logpath = %(sshd_log)s
 backend = %(sshd_backend)s
-
+maxretry = 3
+enable = true

 [dropbear]

@@ -541,6 +542,7 @@
 port    = smtp,465,submission
 logpath = %(postfix_log)s
 backend = %(postfix_backend)s
+enabled = true


 [postfix-rbl]
@@ -638,7 +640,7 @@
 # "warn" level but overall at the smaller filesize.
 logpath  = %(postfix_log)s
 backend  = %(postfix_backend)s
-
+enabled = true

 [perdition]

Then, start the service:

systemctl enable fail2ban
systemctl start fail2ban

Your mailserver should now be good to go. Happy mailing!

POWERED BY EMACS GPLv3 POWERED BY SXEMACS POWERED BY XEMACS ipv6 ready Valid CSS!