Re: Advise on setup of small office locally or via VPS
On Tue, 17 Mar 2015 16:02:31 +0000, Linux4Bene wrote:
> Op Tue, 17 Mar 2015 13:38:26 +0000, schreef Dan Purgert:
>
> <snip>
>
>> Didn't you just say that you were using a Debian box as your firewall/
>> router?
>
> Not yet. I'm still employed ...
> Currently I have my own VPS running but no business internet line yet
> ror a Debian Firewall but that's the plan. Just thinking ahead on how I
> will get up and running as fast as possible :)
I read it as you were /planning/ on using a Debian box for routing and
firewall (and then switched gears to "what's a good appliance?" midway
through the writing), which is why I asked.
Honestly, unless you already have said box ready to go, I would skip it
and just use an appliance (e.g. the UBNT Edge Router). Less to go
wrong / muck up.
>
>
>
>> Personally I have used Ubiquiti Edge Routers (ubnt.com), and they're
>> really nice - based on Vyatta 6.3, rival bigger names in terms of
>> routing performance, and are cheap ($100 for the 3-port model "ER
>> Lite",
>> and under $500 for the 8-port "ER-8". There's also a "PRO" variant of
>> the 8-
>> port that includes 2 SFP ports that're shared with 2 of the copper
>> ports,
>> and a 5-port model with PoE, but this is really only the ER Lite with a
>> switch in the same case, so it's 2x routing ports + 3x switch ports,
>> and might not fit in your situation).
>>
>> Here's the Datasheet for their routers -->
>> http://dl.ubnt.com/datasheets/edgemax/EdgeRouter_Lite_DS.pdf
>
> Thanks, looks like a simple and adequate solution.
Yeah, they're a bit more than "adequate" -- they rival equipment put out
by other vendors that's several times more expensive (IIRC, "cheap" Cisco
kit is like 500-1000 USD).
>
> [snip]
>> Depends on how their router is configured, but this sounds about right.
>> That said, in 99.5% of cases that I've seen the ISP-provided routers
>> are absolute rubbish, and should be relegated to bridge-only mode so
>> that you can use a better (i.e. more configurable) device to handle the
>> tasks.
>
> I didn't know that. Thank you for the information.
Note - I'm in the USA, perhaps your local ISP's equipment isn't as
rubbish as the ones here. Best way to figure it out is by finding out
what they'd supply, and then digging up discussions about it on google.
>
>> If the email server is public already (in the DMZ zone), you'll
>> probably have an easier (and still secure) time if you just have the
>> clients using STARTTLS to access THAT server. Not that you couldn't
>> set up a gateway /
>> relay, but there is much to be said about the KISS principle.
>
> The mail service is public on the VPS. There isn't a DMZ zone on that
> server. As you suggest, both postfix and Dovecot are accessible via
> STARTTLS/SSL. If I read your comment correctly, you would leave the mail
> server config as it is, and put it in a DMZ and that's it?
> This would leave the mails also in the DMZ but as you said, accessing
> mail can only be done over a secure connection (SSL).
> I have SSL certificates setup for this (for my website, and Dovecot).
What I meant was that if you're putting a "local" server into a DMZ area
already (because it's public facing), adding that extra internal server
seems to be adding complexity for the sake of complexity, and wouldn't be
offering you any benefits -- this also ties in with your webmail
solution, if you choose to also have that going.
Now, if you were a bigger company with two or more sites that happen to
be somewhat distant from one another, then running a relay would be
beneficial (as users would all be hitting their "local" mail server,
instead of /everyone/ needing to hit the server at your HQ site).
> [snip...]
>
> Indeed. There is some really great info regarding Postfix and keeping
> all the necessary info in a Postgresql db. If I would ever go with
> offering this as a service to users, I would use Django to build a web
> interface but that's a whole different topic.
You've already got a frontend for them (hint - "roundcube")
>
>
>>> I can see LDAP being useful to have central authentication.
>>> It can be a challenge to setup though. Are there other ways of having
>>> a simple central authentication?
>>
>> LDAP, and a couple of books on the subject. ;)
>
> Hehe, in the past I have setup LDAP on my own home network with Samba.
> It worked great and I could login from my Windows machine as well.
> The docs that I wrote back then will be horribly outdated by now :)
Probably not. I mean, yeah some of the syntax for the config files may
have changed, but LDAP is still LDAP ... so the core principles of the
setups will be the same.
>
> I like using a CLI but not when dealing with LDAP.
> Are there any good gui tools to manage a LDAP server?
> I have come across phpLDAPadmin. Is it any good?
emacs :)
>
>>> I have thought about using a document management system from the
>>> start.
>>> But I have only experience with commercial ones and that might be
>>> overkill from the start. Besides, they are Windows based.
>>
>> You mean like git?
>
> Funny you should say that. I have thought about using git for this.
> Are there people using git to keep track of docs?
> I suppose you need a hiërarchical tree setup to put the docs in
> appropriate folders.
>
> For my own notes, I use a virtualenv with Sphinx for my docs in rst
> format, and generate html docs.
> It works great.
Git works well with source code, I'm not really sure how well it works
outside of that (e.g. ODT files). I imagine that it would provide "some"
of the functionality you're looking for, but possibly not all of it.
For simple text files, I've taken a liking to rcs. One of the guys here
(or on one of the other newsgroups I haunt) had a decent basic wrapper
for it too.
>
>>> VPS ===
> <snip>
>> file server should be local. However, there's no reason that you could
>> not set up a local file server, and still run other services (e.g.
>> email)
>> off a VPS.
>
> That is kind of a hybrid solution I was thinking of as well.
> That would mean keeping the VPS, and using a firewall and file server
> locally with whatever local services (LDAP, nginx) I need.
> Can't get more KISS than that.
Well, not so sure about the extra firewall in the mix there - I mean,
yeah you'll have one on site likely as part of your router appliance ...
but that's pretty much a given these days anyway.
Or are you planning on throwing a firewall somewhere else, such as
between the LAN and the file server (and if so - why?)
> [...snip...]
> I was referring to a problem I had when setting up my mail server on the
> VPS. I had set up reverse DNS but no reverse DNS request made it to my
> DNS server which was to be expected as I don't own the range, my VPS
> provides does. I needed to ask them to add a reverse DNS entry in their
> zone to have the public IP appointed to me, point to my VPS server with
> the name I specified for my mail server.
>
> I thought I could avoid this, if I have a range of public IP's.
> If I do, then the reverse DNS queries would probably make it to my DNS
> service. But I'm not sure about that.
They'll definitely make it to your ISP. Whether or not your ISP will
relay them as "yourdomain.com" or "our-ip-address-block.somewhere.ISP.com"
is something you'll have to check with them though ...
Really about the only guaranteed way of getting that would be to own an
actual block of IPs (i.e. bought directly from one of the number
registrars ... ARIN or RIPE or one of their delegated subsidiaries). But
in doing so, you're talking about buying something like a /20 (or
whatever their currently "smallest" allocation is).
Reply to: