Silly question No. 1 (Mail servers)
My ADSL comes with a fixed IP address and I gather that, among other things, it would enable me to run my own mail server. After reading my ISP's instructions about running an SMTP mail server, in double-dutch of course ("A" records ???), it all sounds a little daunting. I already run Postfix locally if that has any bearing on the subject and I don't, as far as I know, run a DNS server locally. What advantages would this give? Barry Samuels http://www.beenthere-donethat.org.uk The Unofficial Guide to Great Britain
On Tue, 29 Jun 2004 14:20:41 +0100 (BST), bjsamuels@beenthere-donethat.org.uk wrote:
After reading my ISP's instructions about running an SMTP mail server, in double-dutch of course ("A" records ???), it all sounds a little daunting. I already run Postfix locally if that has any bearing on the subject and I don't, as far as I know, run a DNS server locally.
What advantages would this give?
Firstly check to see if your ISP blocks port 25 for security reasons (in case you might be running an open relay). Check your Postfix configuration to ensure that you are NOT running an open relay (in other words, the whole world and his dog and send messages through your server). When configuring a new mail server I tend to use the services of http://www.ordb.org to do a thorough test once I've done my own basic relay tests. If you're going to run a mail server at home, I'd highly recommend an external (preferably on a completely different network to your ISP) secondary MX provider to hold your mail in case your ADSL line dies horribly without warning. Most important of all - make sure you have a static IP address and that it has reverse DNS enabled - preferably resolving to your domain name (something like mail.domain.name). Nildram, for example, allows you to set-up reverse DNS for their static IPs - just update it through a simple web interface. Regards, Martyn -- http://www.drake.org.uk (hosting available!)
On 29-Jun-2004 Martyn Drake wrote:
What advantages would this give?
Firstly check to see if your ISP blocks port 25 for security reasons (in
--snip--
simple web interface.
Regards,
Martyn
Thanks for the reply Martin but I haven't got as far as trying to set it up yet. I just wanted to know if there were any advantages in running my own mail server. -- Barry Samuels http://www.beenthere-donethat.org.uk The Unofficial Guide to Great Britain
Martyn Drake <martyn@drake.org.uk> writes:
bjsamuels@beenthere-donethat.org.uk wrote:
After reading my ISP's instructions about running an SMTP mail server, in double-dutch of course ("A" records ???), it all sounds a little daunting. I already run Postfix locally if that has any bearing on the subject and I don't, as far as I know, run a DNS server locally.
What advantages would this give?
Fewer points of failure (i.e. you've eliminated a mail provider's mail server from the equation.). Fine grained control over what mail you accept. A double-edged sword; you *can* do your own spam filtering, but unless you are very lucky or very tolerant, you will *have* to do your own spam filtering.
If you're going to run a mail server at home, I'd highly recommend an external (preferably on a completely different network to your ISP) secondary MX provider to hold your mail in case your ADSL line dies horribly without warning.
I would recommend against it, based on my experience. It's not *necessary*, in the that the only mail you might lose because you didn't have a backoff MX you'd be at risk of losing no matter how many backoff MXs you had. It definitely adds another point of failure: if your backoff MX accepts a message and then falls over you're in a worse position than if it was queued on the sending site's mail server for a while. It increases the number of things not under your own administration that the reliability of your mail depends upon. (I think it was Martin Keegan who defined an enemy mail system as one you did not control, and I think there is a lot of truth to this.) Additionally it might prove quite inconvenient if you're doing you're own spam filtering. For instance, if you want to include the origin IP address as part of the filter, you'd have to fish it out of the Received: field. (Preferentially using backoff MXs is a spammer trick for getting around IP-address-based access control.) A second spam-related problem is that rejecting at RCPT or DATA means that the backoff MX has to generate a bounce, which (since spam often has a forged return path) may go some innocent third party, who doesn't deserved to have their mail clogged up with it. Without the backoff MX the handling of the error response to RCPT/DATA will be much closer to the sender of the mail who is in a better position to do something sensible with it (and this is a general advantage to avoiding the backoff MX, rather than a spam-specific one, really). -- http://www.greenend.org.uk/rjk/
On 29-Jun-2004 Richard Kettlewell wrote:
Fewer points of failure (i.e. you've eliminated a mail provider's mail server from the equation.).
--snip-- That and the reply from Wayne I found interesting so thank you to both. Mark reminded me that I spelt 'Martin's" name incorrectly - sorry Martyn. -- Barry Samuels http://www.beenthere-donethat.org.uk The Unofficial Guide to Great Britain
On Tuesday 29 June 2004 14:20, bjsamuels@beenthere-donethat.org.uk wrote:
My ADSL comes with a fixed IP address and I gather that, among other things, it would enable me to run my own mail server.
After reading my ISP's instructions about running an SMTP mail server, in double-dutch of course ("A" records ???), it all sounds a little daunting. I already run Postfix locally if that has any bearing on the subject and I don't, as far as I know, run a DNS server locally.
What advantages would this give?
Barry Samuels http://www.beenthere-donethat.org.uk The Unofficial Guide to Great Britain
(Silly answer coming up...) I hesitate to jump in with so many people around who know what they're doing, but I'm not sure what benefits there are - for a domestic user - in running incoming SMTP as opposed to simply having your server collect mail from your ISP using fetchmail then distribute it to local users via Postfix. This way it doesn't matter if the server or ADSL go down from time to time. You don't even need a fixed IP address, for that matter. All I need one for is to host a couple of webservers that don't carry anything critical but allow me to do server-side processing my ISP wouldn't support. A short tutorial from one of the IT experts would be most interesting. Like, what is a secondary MX provider or reverse DNS and why would we need it? Apologies for such green questions but most of what I read might as well be Sanskrit for all the practical help it gives me. -- GT
On 29-Jun-2004 Graham wrote:
(Silly answer coming up...) I hesitate to jump in with so many people around
-- snip --
Apologies for such green questions but most of what I read might as well be Sanskrit for all the practical help it gives me.
Ah! I know that feeling :-) -- Barry Samuels http://www.beenthere-donethat.org.uk The Unofficial Guide to Great Britain
On Tuesday 29 June 2004 14:43, Graham wrote:
(Silly answer coming up...) I hesitate to jump in with so many people around who know what they're doing, but I'm not sure what benefits there are - for a domestic user - in running incoming SMTP as opposed to simply having your server collect mail from your ISP using fetchmail then distribute it to local users via Postfix. This way it doesn't matter if the server or ADSL go down from time to time. You don't even need a fixed IP address, for that matter. All I need one for is to host a couple of webservers that don't carry anything critical but allow me to do server-side processing my ISP wouldn't support.
SMTP has a few advantages, most of which only become relevant as you scale things up. Firstly, you are in control of what mail you accept, you can bounce people based on blacklists, domain resolution or because you don't like the sound of their name. This makes sense because you are not wasting bandwidth downloading mail you don't want to receive. You are not dependant on your isp's mail relay, Anybody here who is on Demon for example can verify how annoying it is to have delayed or lost mail as a result of your ISP's SMTP service not responding in a timely fashion. By having an MX record pointing at your IP, it becomes easy to send mail directly from your system rather than via your ISP's relay without falling foul of name lookups. Also because you are in full control, you can assign any domain you control to your system simply by getting an MX record added to that domain, with pop if you wanted to accept mail for foo.com then you would either have to set up a forwarding service to an existing account, set up an POP/SMTP service at a hosting provider or negotiate with your ISP to accept mail for that domain and route it to your account for collection.
A short tutorial from one of the IT experts would be most interesting. Like, what is a secondary MX provider or reverse DNS and why would we need it? Apologies for such green questions but most of what I read might as well be Sanskrit for all the practical help it gives me.
Secondary MX is a fallback system, if you have an MX record pointing at your own system and then for whatever reason your system is unable to accept mail then any senders will either get an Non Delivery Report or the mail MAY get queued to be resent later. When MX records are attached to a domain they include a priority number, the highest priority (lowest number) gets tried first and if that fails a correctly configured mail system will attempt delivery to the next one on the list. So you have an alternative transit that can hold your mail until your system it able to accept it. As has been pointed out it is best practice that the fallback is somewhere completely independent of your connection and your ISP. Although Richard has made some good points about how this can be a disadvantage. Reverse DNS is exactly what it says on the tin, a DNS lookup resolves a domain to an IP, a reverse DNS resolves an IP to a Domain, Mail systems may use Reverse DNS to confirm that the sender is really the Domain that they say they are. This essentially stops you receiving mail from a zombied Windows machine somewhere that is being used as a spam relay, unfortunately it can also stop you receiving mail you want as not everybody takes care to sort their reverse lookups out. (actually the way DNS and particularly reverse DNS works is pretty clever and fairly interesting) W
On 2004-06-29 22:29:16 +0100 Wayne Stallwood <ALUGlist@digimatic.plus.com> wrote:
Firstly, you are in control of what mail you accept, you can bounce people based on blacklists [...]
Be very careful which blacklists you use. Most are utter rubbish and don't check what they list or offer enough information to actually be able to get support staff of the listed ISP to fix the problem. It's very annoying getting bounced because some over-zealous blacklist decided to include the whole hosting provider/hosting facility/ISP/uplink/country/world after one email to a honeypot address from a clueless person's web form or autoreply.
You are not dependant on your isp's mail relay, Anybody here who is on Demon for example can verify how annoying it is to have delayed or lost mail as a result of your ISP's SMTP service not responding in a timely fashion.
Increasingly, UK providers seem to be silently junking email and a few (BT-Yahoo, Demon and Frees^WWannad^WFrance Telecom, I'm looking at you) seem to be getting it very wrong occasionally. -- MJR/slef My Opinion Only and not of any group I know http://www.ttllp.co.uk/ for creative copyleft computing "To be English is not to be baneful / To be standing by the flag not feeling shameful / Racist or partial..." (Morrissey)
On Wednesday 30 June 2004 23:20, MJ Ray wrote:
Be very careful which blacklists you use. Most are utter rubbish and don't check what they list or offer enough information to actually be able to get support staff of the listed ISP to fix the problem. It's very annoying getting bounced because some over-zealous blacklist decided to include the whole hosting provider/hosting facility/ISP/uplink/country/world after one email to a honeypot address from a clueless person's web form or autoreply.
Yes, sorry I should of made that clearer, Like you I personally dislike most of the blacklist services out there. maybe they are ok to be used as a weighting on a rule filter but that's about it.
You are not dependant on your isp's mail relay, Anybody here who is on Demon for example can verify how annoying it is to have delayed or lost mail as a result of your ISP's SMTP service not responding in a timely fashion.
Increasingly, UK providers seem to be silently junking email and a few (BT-Yahoo, Demon and Frees^WWannad^WFrance Telecom, I'm looking at you) seem to be getting it very wrong occasionally.
Ahh you have noticed that too. BT's service is strange as it seems to change configuration on a daily basis. Demon were pretty awful last year, had all sorts of problems with some of my clients. Demon's "punt" servers just didn't respond half the time. Worse still Demon (for the accounts my clients had anyway) wouldn't let us change MX records around to bypass their joke of a system. So far this year, things appear to have been a bit better. I remember on a number of occasions sitting there with timeouts while trying to connect to port 25 of their relays, At the same time some nut on their helldesk would be trying to tell me there was no problem their end. Plusnet at least seem to be pretty good, You can even configure the MX (along with a fallback relay) to point to your IP address, all from the account webadmin interface. So far I haven't bothered for myself, but it's nice that I at least have the facility.
On 7/1/2004, "Wayne Stallwood" <ALUGlist@digimatic.plus.com> wrote:
On Wednesday 30 June 2004 23:20, MJ Ray wrote:
Be very careful which blacklists you use. Most are utter rubbish and don't check what they list or offer enough information to actually be able to get support staff of the listed ISP to fix the problem. It's very annoying getting bounced because some over-zealous blacklist decided to include the whole hosting provider/hosting facility/ISP/uplink/country/world after one email to a honeypot address from a clueless person's web form or autoreply.
Yes, sorry I should of made that clearer, Like you I personally dislike most of the blacklist services out there. maybe they are ok to be used as a weighting on a rule filter but that's about it.
First off, the benefits of running your own server are, in my opinion, underrated. For example, I'm sitting in an office in Derby, typing this on my webmail (running on top of postfix) on a server that's sitting in my living room. I have total control and that makes me happy. However, I disagree with your views on blacklists. For me, they have (almost totally) solved the spam problem. I haven't had a spam in over 2 months since I implemented blacklist blocking. I agree you have to be careful about which ones you use as some of them are too agressive, but if you are careful, they are an invaluable resource. I use blackhole.securitysage.com, rhsbl.sorbs.net, bl.sorbs.net, dnsbl.sorbs.net, and bl.spamcop.net. I regularly grep through my mail logs for rejections every time they roll over, and can honestly say that not one legitimate e-mail has been bounced. Particularly effective is dnsbl.sorbs.net which will not allow mail from dynamic IP ranges through and this seems to be where 90% of spam originates from through zombied Windows boxen. Matt
On Thu, Jul 01, 2004 at 08:29:40AM +0100, Matt Parker wrote:
bl.spamcop.net.
SpamCop cause me more issues and waste more of my time than spammers themselves; mainly because of the number of people who blindly send mail they claim is spam there but is often from something like a mailing list they've signed up to. Oh, and the tendency to occasionally decide the reporting machine is actually the spamming machine. Really not impressed with them. J. -- /------------------------------------\ | May you live in interesting times. | | http://www.blackcatnetworks.co.uk/ | \------------------------------------/
bl.spamcop.net.
SpamCop cause me more issues and waste more of my time than spammers themselves; mainly because of the number of people who blindly send mail they claim is spam there but is often from something like a mailing list they've signed up to. Oh, and the tendency to occasionally decide the reporting machine is actually the spamming machine. Really not impressed with them.
We had bad experiences from spamcop at university. Someone must have forwarded a message to them that appeared to have come from someone at a friend's domain, and they blindly added the domain to their blacklist. so when he tried to send lecturers e-mail, he got it returned, very helpful. The RBLs I hate are the ones that add all dial-in/dynamic IPs just because 'they must be spammers if they run an SMTP server'. I have an smtp server so my apache/php setup doesn't complain, it runs a couple of domains through dyndns, but whenever I send mail now they get returned because the majority of subnets my ISP own have been added, and according to the RBL websites "if we retest the IP and it is a dynamic IP we WILL NOT REMOVE IT", it even stops me sending mail through my hosting company's smtp server direct from mail clients :o( Duncan Sample
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 01 July 2004 09:34, Duncan Sample wrote:
The RBLs I hate are the ones that add all dial-in/dynamic IPs just because 'they must be spammers if they run an SMTP server'. I have an smtp server so my apache/php setup doesn't complain, it runs a couple of domains through dyndns, but whenever I send mail now they get returned because the majority of subnets my ISP own have been added, and according to the RBL websites "if we retest the IP and it is a dynamic IP we WILL NOT REMOVE IT", it even stops me sending mail through my hosting company's smtp server direct from mail clients :o(
Personally, I agree with this 100%. I don't think people should be sending mail directly from thier own mail server. They should be relaying thought thier ISPs mail systems. If your ISP can't run a proper relay, then it's time to move ISP, or use a real SMTP server which allows you to relay when authenticated. I run several mail servers, and have quite a bit of experience in this field, and I find that blocking dynamic addresses definatly does solve one hell of a lof of the spam problem. Kind Regards, - -- Ian P. Christian - pookey@pookey.co.uk - +44 (0) 7740 189415 - http://www.pookey.co.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA5quIEe6ncNCcEO0RAh0HAKCDEGiYshPVcsvLDc6HUBcjgw8iyQCeP0km vT/1wb7yj+XpO469UTMe/FY= =QyEc -----END PGP SIGNATURE-----
On 2004-07-03 13:50:16 +0100 Ian P. Christian <pookey@pookey.co.uk> wrote:
On Thursday 01 July 2004 09:34, Duncan Sample wrote:
[...] it even stops me sending mail through my hosting company's smtp server direct from mail clients :o( Personally, I agree with this 100%. [...] it's time to move ISP, or use a real SMTP server which allows you to relay when authenticated. [...]
Whose email am I not understanding? Duncan seemed to be complaining about stupid dynamic IP blacklists that prevents use of authenticating SMTP servers as Ian describes, yet Ian said he agreed 100% with the stupid blacklists?!? Confused in PE30, but still not as confused as the addled blacklists, -- MJR/slef My Opinion Only and not of any group I know http://www.ttllp.co.uk/ for creative copyleft computing "To be English is not to be baneful / To be standing by the flag not feeling shameful / Racist or partial..." (Morrissey)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 05 July 2004 02:37, MJ Ray wrote:
Whose email am I not understanding? Duncan seemed to be complaining about stupid dynamic IP blacklists that prevents use of authenticating SMTP servers as Ian describes, yet Ian said he agreed 100% with the stupid blacklists?!?
Sorry, I was agreeing with the blacklisting of dynamic IPs, not the opinion against it :) Ian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA6l4VEe6ncNCcEO0RApOmAKDh0JwbDJqO+qDFiYWyyg0edUgzAwCfaUgX 7HVRsgWwSrhVocNLFY+Am8M= =lmz9 -----END PGP SIGNATURE-----
On 2004-07-01 08:29:40 +0100 Matt Parker <matt@mpcontracting.co.uk> wrote:
However, I disagree with your views on blacklists. For me, they have (almost totally) solved the spam problem. [...]
They can (almost totally) solve the incoming email problem too if you use them as a simple block instead of part of a scoring system.
blackhole.securitysage.com, rhsbl.sorbs.net, bl.sorbs.net, dnsbl.sorbs.net, and bl.spamcop.net.
sorbs.net often seems to include the mail relays of large ISPs in its DUL. Their honeypot list is very broad-brush too (/32 at best) and doesn't give enough information for an ISP to be able to act against the spammer easily. I think both of those get included into dnsbl.sorbs.net, so beware: I frequently kick its users off of mailing lists when they get it wrong and start bouncing legitimate email back to me. I think others have said far more than I can about spamcop.net. It was useful once, but now avoid it. Are securitysage.com serious? As one possible method for delisting, they give "A friendly girl with a sexy voice manages to find the telephone number for one of the (single) male technical support representatives [...]" -- MJR/slef My Opinion Only and not of any group I know http://www.ttllp.co.uk/ for creative copyleft computing "To be English is not to be baneful / To be standing by the flag not feeling shameful / Racist or partial..." (Morrissey)
On Thu, 01 Jul 2004 00:20:56 +0100, MJ Ray wrote:
Be very careful which blacklists you use. Most are utter rubbish and don't check what they list or offer enough information to actually be able to get support staff of the listed ISP to fix the problem. It's very annoying getting bounced because some over-zealous blacklist decided to include the whole hosting provider/hosting facility/ISP/uplink/country/world after one email to a honeypot address from a clueless person's web form or autoreply.
I've also discovered that some MTAs will not accept mail should a blacklist entity disapear. This leads to legitimate mail being rejected and lots of red faces all round. I agree with Mark - those blacklists that seem to derive pleasure from blocking an entire ISP don't do the anti-spam cause any good and should not be used wherever possible.
Increasingly, UK providers seem to be silently junking email and a few (BT-Yahoo, Demon and Frees^WWannad^WFrance Telecom, I'm looking at you) seem to be getting it very wrong occasionally.
This is plain wrong, IMHO. Let the end-user do the filtering. People who have separate web hosting away with their ISPs now usually have something within their control panels (I certainly do on my 'service') that will enable/disable spam filtering and customise it to their needs. The same should go for ISPs too. This is precisely the problem I had with a company called Donhost. They were silently (i.e. not disclosing to their customers) filtering all Yahoo Groups mail which somewhat made the missus and myself somewhat miffed. They soon lost a customer, I can tell you! And this is now why I have my deciated server and don't use shared hosting anymore. Regards, Martyn
Martyn Drake <martyn@drake.org.uk> writes:
I agree with Mark - those blacklists that seem to derive pleasure from blocking an entire ISP don't do the anti-spam cause any good and should not be used wherever possible.
Never mind whole ISPs. There are multiple whole countries that I would cheerfully block. Character encodings, too, to look a bit further inside a mail than origin and envelope. It's nothing to do with pleasure, either. -- http://www.greenend.org.uk/rjk/
On Thu, Jul 01, 2004 at 11:16:21AM +0100, Richard Kettlewell wrote:
Martyn Drake <martyn@drake.org.uk> writes:
I agree with Mark - those blacklists that seem to derive pleasure from blocking an entire ISP don't do the anti-spam cause any good and should not be used wherever possible.
Never mind whole ISPs. There are multiple whole countries that I would cheerfully block. Character encodings, too, to look a bit further inside a mail than origin and envelope.
It's nothing to do with pleasure, either.
Yes, my client side spam filter checks for korean character sets and bins any mail with them. That gets rid of a whole lot of junk (and I don't have any Korean correspondents). -- Chris Green (chris@areti.co.uk)
participants (12)
-
bjsamuels@beenthere-donethat.org.uk -
Chris Green -
Duncan Sample -
Graham -
Ian P. Christian -
Ian P. Christian -
Jonathan McDowell -
Martyn Drake -
Matt Parker -
MJ Ray -
Richard Kettlewell -
Wayne Stallwood