Re: Cool things to do with server

To: debian-user@lists.debian.org
Subject: Re: Cool things to do with server
From: Dan Purgert <dan@djph.net>
Date: Mon, 16 Mar 2015 16:14:53 +0000 (UTC)
Message-id: <[🔎] me6vht$570$1@ger.gmane.org>
References: <[🔎] 5504B874.4060300@linux.com> <[🔎] 20150314230009.58d30d30@jresid.jretrading.com> <[🔎] 5504C011.1030905@linux.com> <[🔎] 20150314214506.20723587@lapsdeb> <[🔎] 5504F1E2.10603@linux.com> <[🔎] me43ki$tnv$1@ger.gmane.org> <[🔎] 5505D29E.5040907@linux.com>

On Sun, 15 Mar 2015 11:42:38 -0700, Joris Bolsens wrote:

>> Confirming "mail server" will keep you busy - especially the initial
>> configuration (there will be a lot of "WTF, now what'd I do!?" moments,
>> if you're like me).
>> 
>> But yeah, postfix + dovecot (or other sasl agent) is pretty 'secure' in
>> terms of not getting blindly turned into a mail relay.  Throw
>> spamassassin, greylists, and sieve scripts (server-side routing rules)
>> on top of the basic configuration and you'll end up with a really nice
>> MTA. I like mine better than gmail.
> Do you have any tutorials or something on how to setup "spamassassin,
> greylists, and sieve scripts"?

Honestly, I can't remember /where/ I got all the tutorials from.  Most of 
them were probably "google for a bit, oh hey, that sounds promising".

Though, I have this page bookmarked; so it must've been something 
important when I was initially stumbling through things.

http://www.freesoftwaremagazine.com/articles/focus_spam_postfix

>> 
>> If you've got a need to reach it from "anywhere", and don't necessarily
>> always have a laptop, then adding a web MUA (such as horde) is another
>> project.
>> 
> Horde's webmail looks pretty awesome, will definitely look into that.

Yeah, it's pretty nice (once you kick it a couple of times and get it 
playing nice with the server -- or maybe I'm just bad at following 
instructions :) ).  For mine, it even includes a mobile-friendly 
interface right out of the box; although it unfortunately doesn't include 
PGP or S/MIME support in that mode.  Desktop version does though, you 
just have to choose that instead when you log in.

Kind of a pain when I have to send mail from my phone (no one I know 
encrypts mail to me in the first place, so I can just use a generic mail 
app on said phone).  But honestly, I'm sending little enough mail from my 
mobile that I haven't bothered really digging into it and seeing about 
changing that.

>> In either event, I strongly recommend that you purchase a certificate
>> for mail.yourdomain.com, and use it.  It's overall easier (or at least
>> in my experience, switching from the self-signed to the CA-signed cert
>> made things easier).
>> 
> Where do you recommend I get one of these? I tried the startssl thing,
> but chrome still complains that its not legit.

I used the 60 (90?) day freebie one from comodo until purchasing one from 
them.  Biggest problem I ran into was needing to update one PCs root 
certificates.

Though you have to be specific -- if your server is server.yourdomain.com; 
but you're giving it the hostname "mail.yourdomain.com" for use with 
postfix/dovecot/horde, you've got to request the cert for 
"mail.yourdomain.com".

Same goes for "www" or any other hostname / prefix that you want to use 
(unless you go with a wildcard, which is crazy expensive).

>> Since it's remote, maybe a reverse ssh setup so you can get "home"?
>> 
>> 
> I know what those words mean,  but I have no idea what they mean when
> they are put in that order, care to elaborate? xD
> 

A "reverse SSH" tunnel is a SSH tunnel that works in reverse -- i.e. 
you're making a connection from "host1" to "server" that's intended to 
let "host2" hop through, and get back to "host1".

Let's say you're on a typical residential setup (DHCP), and your ISP has 
a REALLY terrible modem / router / firewall combo unit wherein you're 
unable to open ports or swap it over to bridge mode. So, even if you set 
up dyndns, you're not getting through your ISP crapbox.

So, you create a reverse ssh tunnel from your home desktop (or NAS, 
whatever) over to your AWS server (or whatever).

ssh -R 9999:localhost:22 someuser@AWS_Server

This sets up a ssh tunnel "from" your AWS server to your box behind the 
crappy firewall on port 9999.

So then to connect to it (say from your local starbucks)

1. ssh youruser@AWS_Server <-- this logs you into the AWS server you have
2. ssh localhost -p 9999 <-- this connects you to the reverse tunnel back 
to your home PC / NAS / whatever.

I've actually used this a couple of times to help out family who I've 
upgraded to Linux --> put a shell script on their desktop named something 
like "PC Help"  which fires up the reverse SSH connection for them to my 
server, and I just keep a list of who's computers are on what ports.

I'm sure there are more automatic ways to get around it, but having it be 
something they have to click on works out better as it's easier to 
explain on the phone.

Reply to:

Follow-Ups:
- Re: Cool things to do with server
  - From: Joris Bolsens <Joris@linux.com>

References:
- Cool things to do with server
  - From: Joris Bolsens <Joris@linux.com>
- Re: Cool things to do with server
  - From: Joe <joe@jretrading.com>
- Re: Cool things to do with server
  - From: Joris Bolsens <Joris@linux.com>
- Re: Cool things to do with server
  - From: Stephen R Guglielmo <srguglielmo@gmail.com>
- Re: Cool things to do with server
  - From: Joris Bolsens <Joris@linux.com>
- Re: Cool things to do with server
  - From: Dan Purgert <dan@djph.net>
- Re: Cool things to do with server
  - From: Joris Bolsens <Joris@linux.com>

Prev by Date: Re: Battery performance predictor
Next by Date: Re: configuring exim4 smtp to use SSL
Previous by thread: Re: Cool things to do with server
Next by thread: Re: Cool things to do with server
Index(es):
- Date
- Thread