Re: Cool things to do with server
On Sun, 15 Mar 2015 11:42:38 -0700, Joris Bolsens wrote:
>> Confirming "mail server" will keep you busy - especially the initial
>> configuration (there will be a lot of "WTF, now what'd I do!?" moments,
>> if you're like me).
>>
>> But yeah, postfix + dovecot (or other sasl agent) is pretty 'secure' in
>> terms of not getting blindly turned into a mail relay. Throw
>> spamassassin, greylists, and sieve scripts (server-side routing rules)
>> on top of the basic configuration and you'll end up with a really nice
>> MTA. I like mine better than gmail.
> Do you have any tutorials or something on how to setup "spamassassin,
> greylists, and sieve scripts"?
Honestly, I can't remember /where/ I got all the tutorials from. Most of
them were probably "google for a bit, oh hey, that sounds promising".
Though, I have this page bookmarked; so it must've been something
important when I was initially stumbling through things.
http://www.freesoftwaremagazine.com/articles/focus_spam_postfix
>>
>> If you've got a need to reach it from "anywhere", and don't necessarily
>> always have a laptop, then adding a web MUA (such as horde) is another
>> project.
>>
> Horde's webmail looks pretty awesome, will definitely look into that.
Yeah, it's pretty nice (once you kick it a couple of times and get it
playing nice with the server -- or maybe I'm just bad at following
instructions :) ). For mine, it even includes a mobile-friendly
interface right out of the box; although it unfortunately doesn't include
PGP or S/MIME support in that mode. Desktop version does though, you
just have to choose that instead when you log in.
Kind of a pain when I have to send mail from my phone (no one I know
encrypts mail to me in the first place, so I can just use a generic mail
app on said phone). But honestly, I'm sending little enough mail from my
mobile that I haven't bothered really digging into it and seeing about
changing that.
>> In either event, I strongly recommend that you purchase a certificate
>> for mail.yourdomain.com, and use it. It's overall easier (or at least
>> in my experience, switching from the self-signed to the CA-signed cert
>> made things easier).
>>
> Where do you recommend I get one of these? I tried the startssl thing,
> but chrome still complains that its not legit.
I used the 60 (90?) day freebie one from comodo until purchasing one from
them. Biggest problem I ran into was needing to update one PCs root
certificates.
Though you have to be specific -- if your server is server.yourdomain.com;
but you're giving it the hostname "mail.yourdomain.com" for use with
postfix/dovecot/horde, you've got to request the cert for
"mail.yourdomain.com".
Same goes for "www" or any other hostname / prefix that you want to use
(unless you go with a wildcard, which is crazy expensive).
>> Since it's remote, maybe a reverse ssh setup so you can get "home"?
>>
>>
> I know what those words mean, but I have no idea what they mean when
> they are put in that order, care to elaborate? xD
>
A "reverse SSH" tunnel is a SSH tunnel that works in reverse -- i.e.
you're making a connection from "host1" to "server" that's intended to
let "host2" hop through, and get back to "host1".
Let's say you're on a typical residential setup (DHCP), and your ISP has
a REALLY terrible modem / router / firewall combo unit wherein you're
unable to open ports or swap it over to bridge mode. So, even if you set
up dyndns, you're not getting through your ISP crapbox.
So, you create a reverse ssh tunnel from your home desktop (or NAS,
whatever) over to your AWS server (or whatever).
ssh -R 9999:localhost:22 someuser@AWS_Server
This sets up a ssh tunnel "from" your AWS server to your box behind the
crappy firewall on port 9999.
So then to connect to it (say from your local starbucks)
1. ssh youruser@AWS_Server <-- this logs you into the AWS server you have
2. ssh localhost -p 9999 <-- this connects you to the reverse tunnel back
to your home PC / NAS / whatever.
I've actually used this a couple of times to help out family who I've
upgraded to Linux --> put a shell script on their desktop named something
like "PC Help" which fires up the reverse SSH connection for them to my
server, and I just keep a list of who's computers are on what ports.
I'm sure there are more automatic ways to get around it, but having it be
something they have to click on works out better as it's easier to
explain on the phone.
Reply to: