Re: Advise on setup of small office locally or via VPS
Op Tue, 17 Mar 2015 13:38:26 +0000, schreef Dan Purgert:
<snip>
> Didn't you just say that you were using a Debian box as your firewall/
> router?
Not yet. I'm still employed but have everything up and running in a VPS,
and I have all the legal stuff in order like VAT and so on.
Legally this means it's seen as a secondary activity.
>From the moment I quit, it becomes my main occupation.
That's how it works over here.
Currently I have my own VPS running but no business internet line yet ror
a Debian Firewall but that's the plan. Just thinking ahead on how I will
get up and running as fast as possible :)
> Personally I have used Ubiquiti Edge Routers (ubnt.com), and they're
> really nice - based on Vyatta 6.3, rival bigger names in terms of
> routing performance, and are cheap ($100 for the 3-port model "ER Lite",
> and under $500 for the 8-port "ER-8". There's also a "PRO" variant of
> the 8-
> port that includes 2 SFP ports that're shared with 2 of the copper
> ports,
> and a 5-port model with PoE, but this is really only the ER Lite with a
> switch in the same case, so it's 2x routing ports + 3x switch ports, and
> might not fit in your situation).
>
> Here's the Datasheet for their routers -->
> http://dl.ubnt.com/datasheets/edgemax/EdgeRouter_Lite_DS.pdf
Thanks, looks like a simple and adequate solution.
> It's not "difficult" to get redundancy, though depending on the levels
> of redundancy you're after, it can get a bit complex.
>
> Easiest route is a cold spare -- buy a second of whatever router, config
> it exactly the same way, and then shut it down for use if / when the
> first one dies.
>
> Though you could always scale to multiple WAN connections spread across
> multiple routers, with OSPF / iBGP being used to manage the routes...
> but this is probably a bit much for a small business.
>
I should have been more clear about the use case. The cold spare in my
case is enough. If a lot of other people would use services, that's
somethings else but I don't see that happening in the near future.
> Depends on how their router is configured, but this sounds about right.
> That said, in 99.5% of cases that I've seen the ISP-provided routers are
> absolute rubbish, and should be relegated to bridge-only mode so that
> you can use a better (i.e. more configurable) device to handle the
> tasks.
I didn't know that. Thank you for the information.
> If the email server is public already (in the DMZ zone), you'll probably
> have an easier (and still secure) time if you just have the clients
> using STARTTLS to access THAT server. Not that you couldn't set up a
> gateway /
> relay, but there is much to be said about the KISS principle.
The mail service is public on the VPS. There isn't a DMZ zone on that
server. As you suggest, both postfix and Dovecot are accessible via
STARTTLS/SSL. If I read your comment correctly, you would leave the
mail server config as it is, and put it in a DMZ and that's it?
This would leave the mails also in the DMZ but as you said, accessing mail
can only be done over a secure connection (SSL).
I have SSL certificates setup for this (for my website, and Dovecot).
>> - I have Roundcube (webmail) installed as well. I think I could handle
>> this by forwarding the requests from firewall to the internal mail
>> server.
>> Not sure if this is the safest way to do this.
>> One can of course argue about web mail in the first place.
>
> Again, might be easiest (best) to keep the entire mail service in the
> DMZ, including webmail.
OK I would really like to go KISS :)
Basically, if I end up with a local situation I would move the services
to a local server in a DMZ zone. Otherwise, I could just keep the VPS
to serve as our mail server.
>> - Central user and document management.
>> I would like to have a space on the file server where people could
>> store their own and shared documents. I think I would need NFS for this
>> (haven't used this before). The docs might need to be accessible from
>> Windows as well, although I really would like to only use Debian
>> machines for my own people. Otherwise, this would mean using Samba.
>
> If you need / want access to the file server from windows hosts, I'm
> pretty sure samba is your only solution.
That's what I thought.
>> My mail users are in a Postgresql database. I would like to keep it
>> that way if I would ever provide mail to customers.
>
> Sure. If you're selling email services, then you might need a dedicated
> DB box, but that's not exactly 'difficult'.
Indeed. There is some really great info regarding Postfix and keeping
all the necessary info in a Postgresql db. If I would ever go with
offering this as a service to users, I would use Django to build a web
interface but that's a whole different topic.
In my current mail setup, I would need to provide a way for users to
change their password. Maybe Roundcube has such a plugin.
>> I can see LDAP being useful to have central authentication.
>> It can be a challenge to setup though. Are there other ways of having a
>> simple central authentication?
>
> LDAP, and a couple of books on the subject. ;)
Hehe, in the past I have setup LDAP on my own home network with Samba.
It worked great and I could login from my Windows machine as well.
The docs that I wrote back then will be horribly outdated by now :)
I like using a CLI but not when dealing with LDAP.
Are there any good gui tools to manage a LDAP server?
I have come across phpLDAPadmin. Is it any good?
>> I have thought about using a document management system from the start.
>> But I have only experience with commercial ones and that might be
>> overkill from the start. Besides, they are Windows based.
>
> You mean like git?
Funny you should say that. I have thought about using git for this.
Are there people using git to keep track of docs?
I suppose you need a hiërarchical tree setup to put the docs in
appropriate folders.
For my own notes, I use a virtualenv with Sphinx for my docs in rst
format, and generate html docs.
It works great.
>> VPS ===
<snip>
> file server should be local. However, there's no reason that you could
> not set up a local file server, and still run other services (e.g.
> email)
> off a VPS.
That is kind of a hybrid solution I was thinking of as well.
That would mean keeping the VPS, and using a firewall and file server
locally with whatever local services (LDAP, nginx) I need.
Can't get more KISS than that.
>> Might make it a bit harder to fully manage reverse dns. As for my
>> current VPS, I had to ask my VPS supplier to insert a reverse DNS
>> record for my mail server as I don't own the range and as such, can't
>> set the reverse DNS. If I would want to manage this myself, I would
>> need to reserve a small range with the VPS supplier.
>> I probably wouldn't need those in the case of receiving a range of
>> public IP addresses from the ISP that provides the company internet
>> line.
>> If I would use these public IP's, I wouldn't need the VPS range, and I
>> could manage my own reverse DNS and have the firewall forward the
>> traffic from these public IP's to the private IP's (well also public
>> IP's because you get a public IP with every VPS) of the corresponding
>> VPS'es over the OpenVPN connection?
>
> I'm honestly not sure where you intended to go with this one?
> Realistically, you can do most (all) of what you want to do with a
> single public IP from your ISP. Multiple IPs just make it easier to
> work with.
I was referring to a problem I had when setting up my mail server on the
VPS. I had set up reverse DNS but no reverse DNS request made it to my
DNS server which was to be expected as I don't own the range, my VPS
provides does. I needed to ask them to add a reverse DNS entry in their
zone to have the public IP appointed to me, point to my VPS server
with the name I specified for my mail server.
I thought I could avoid this, if I have a range of public IP's.
If I do, then the reverse DNS queries would probably make it to my DNS
service. But I'm not sure about that.
> Depending on your ISP and their policies, you may need to work with them
> to get the reverse DNS entries added.
Indeed, as I had to do for my VPS.
Thanks for all the info. I appreciate it.
Regards,
Bene
Reply to: