WEB and Mail server project
Mon serveur WEB et Email
2016-09-07 14:37:46
2019-07-11

Renting an external server ... Why

In the last few months I have been solicited by competitors of my present day internet service provider. The offers where very alluring however I found myself captive of the email address provided by my current provider.

The provider does not continue the email address after the end of the internet contract. It does offer an internet dialup contract that would support the email address.

An other solution would be to move my email traffic towards an other provider. I see this akin to a divorce followed by a marriage. This solution does have the benefit that the new provider could be chosen not to be linked to an internet provider thus providing the freedom I want. The basic problem of being slaved to a 3rd party's decision still remains.

Being a nerd by nature and having too much time (apparently), there is an other solution: the one I chose. It involves:

  • reserving and configuring a name in the domain name service (DNS). I did this and acquired  Chez-MiDan.com.
  • Renting a server, configuring it and installing the services that I wanted.

This way I get the email service that I need and the added benefit of being able to unload the web site I was servicing on my home computer to the new server.

And besides, it was fun to do.

Some details

Acquiring Chez-MiDan.com

This part is quite easy. There are many service providers that will charge you on an annual base to insert a name in the Domain Name Service (DNS). I chose to do this with GODADDY.com As I am writing,  they have yet an other promotion where you can "buy" a name for $0.99 a month. The mechanism of defining a name includes defining the DNS servers that will answer for your name. GODADDY.com offers this service but I chose to have the DNS serviced at NO-IP.COM. More about this later. So, when I bought the name I named NO-IP.com to be the primary DNS servers for my domain. 

DNS Servicing

As I said I choose NO-IP.com to service my domain. I pay them $25/year for this service. It includes the use of their domain servers and dynamic DNS servicing for my home computer. This last service is why I chose NO-IP.com as name server for my domain.

Using NO-IP.com I created hosts under my domain (chez-midan.com) to point towards the server I rent and my home computer (dynamic IP addressing). The NO-IP web site is quite convivial as is GODADDY's for that matter. The issue of dynamic IP address for my home computer is fodder for an other article.

The server

I chose OVH.com as provider to rent my server. I chose their lowest cost product. It is a virtual server but it does the job. I pay $5/month for this server and their are no other paying services that I require. So it is $60/year and that is it.

Software:

  • I choose to use a pre-installed Linux, a Debian release.
  • MYSQL database server
  • APACHE web server
  • PHP server side service language
  • SENDMAIL mail server
  • dovecot POP, IMAP server.
  • fail2ban security monitor and active protection
  • UFW simple firewall
  • mimedefang, email milter
  • spamassassin, email spam filter

Of course I added my own web site software. This pretty well wraps it up.

Cost

  • $12 /year to acquire and keep the name
  • $25 /year for DNS servicing et NO-IP
  • $60 /year for the server
  • Added isolation / protection of my home computer ...
  • Freedom
  • Fun
  • TOTAL +-$100

Cheapest contact available with my current service provider ... 15$ / month or $130 /year.

The correct comparison must include the price of conserving an email address  and a complete interne package with a service provider. Looking at it that way means that it cost me $100 more a year to be independent of my provider. It also means that if I change provider and keep my old provider's email address then the additional cost is $100 - $130 ( the cost of the smallest contract). A saving of $30.

 
To summarize: ( where going from one internet provider email service to the next provider's is unacceptable)
 
Basic service cost
Address keep price
Con's
Pro's
Using current ISP
Constant (1)
$0

Home computer risk(2)

ISP email policies and not my own.

Locked in to using this ISP

Steady state, no work, no change, ever..
Moving to another ISP and keeping the email address
Constant (1)
$130 (smallest contract with current provider to save the email address)

Home computer risk(2)

ISP email policies and not my own.

Easy and you do not need to do anything but pay the bill.
Moving to an other ISP and using a self owned email addr.
Constant (1)
$100 (see solution cost above)

Some work to get the server configured and protected properly.

Needs know how or guidelines to do it properly.

Technically, you are loosing the email address but replacing it for the last time.

Home computer not at risk from WEB openness.

Future proof in regards to email freedom.

Free to move from ISP to an other.

(1) The price paid to the internet provider does not factor in the choice of the solution since we  have to pay one no matter what.
(2) It is always risky to expose a computer where you hold private data to the internet. This is a growing concern of mine.
 

The time factor

When to do this. My case may not be typical since I want to secure my home computer asap. This being said I suggest the following:

  1. Stay with the present solution while building the new domain.
  2. Move your correspondence from the old email to the new address while you have both. Take the time that you need if you want to avoid hassles such as loosing access to some of the internet services that you use. (Banks, Ebay, facebook, Twitter ...)
  3. When you think you caught them all wait another month to be sure.
  4. You may be ready!

Security

So far I have talked about using this external server to help secure my home computer. Fine, however the external server must also be secured. There are obvious security steps to take and there are quite a few software packages to help.

Minimum to do:

  • use a firewall to lock out all the services that the system offers but that you do not want in use.
  • make sure that the path for admins is secured to only one ore two source computers computers
  • make sure that there are no  pre-authorized login paths from the external computer to your admin stations or any other computer. This could be one of the effects of using SSH know systems and public keys
  • make sure to lock out all IPs doing illicit poking of your system's defense mechanisms

My UFW firewall:

root@web:/root# ufw status
Status: active

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW       Anywhere
25/tcp                     ALLOW       Anywhere
587/tcp                    ALLOW       Anywhere
143/tcp                    ALLOW       Anywhere
Anywhere                   ALLOW      
80/tcp                     ALLOW       Anywhere (v6)
25/tcp                     ALLOW       Anywhere (v6)
587/tcp                    ALLOW       Anywhere (v6)
143/tcp                    ALLOW       Anywhere (v6)

Update 2017-09-22: I added ports 993 and 465 to accomodate SSL/TLS mail delivery and retrieval.
 

This configuration opens the WEB hosting port 80 the imap access port 143 and sendmail ports 25 and 587. Notice that SSH is not explicitly opened to anyone. In this configuration, only can use the SSH port and facility.

Fail2ban

This software complements UFW firewall. It monitors logs, applies rules to determine if there are hacking attempts and bans those culprit IPs from accessing the system. In my case, I use it to detect sendmail, imap or web accesses that are hacking attempts and ban those IPs.

Is this necessary? you will ask! It is for the good reasons that no system is without security issues, no web pages are without hacking opportunities. By using fail2ban I limit the number of attempts to 1. Poking the system becomes very laborious given that the ban time is 10 days. 

Using these methods I ban over 700 IPs per day! So, YES, I find using UFW and fail2ban necessary!! See the stats  here:

OPENVPN

I have added a VPN between my server and my home (base) computer. I did this to reduce my home's exposure to the internet (hacking). I now do not need to have as many holes in my home's computer firewall.

EMAIL

Sendmail! ... It's a beast!

It is very important to configure sendmail properly to be secure and to not open the door to illicit mail relaying. I am not an expert on sendmail and there are numerous write-ups on the net on how to do this properly. My solution works for me but I am not certain that I did it optimally. Please consult experts on this.

If you are not sure that your solution is correct, take the time to monitor it very closely. Here the system logs are invaluable.

spamassassin and mimedefang

  • I should have mentioned in the original installment of this document that I was using Dovecot to retrieve email remotely. Works fine, almost out of the box.
  • Sendmail was configured for local delivery that in turn is managed by Dovecot as an INBOX (of type mbox). I also had configured sendmail to use the STARTLS ports and protocols. I have since added the SSL/TLS protocols and ports (993 and 465).
  • Spam mail was becoming a real nuisance. To controls this I added MIMEdefang and Spamassassin. MIMEdefang acts as a milter, connects to Spamassain. I added a configuration to MIMEdefang so that emails that are marked as spam,
  • I changed out the local delivery mailer in sendmail to use dovecot-lmtp. This enabled me to use dovecot-sieve and be able to have "on delivery scripts". Using sieve, users can divert, delete etc. spam mail to there linking. This outcome was not as easy to achieve as I thought ... but is works great! This reduced considerably the nuisance cause bu spam.