Re: [gentoo-user] Local mail server

Re: [gentoo-user] Local mail server

[james]

On 7/28/20 12:10 PM, Wols Lists wrote:
> On 28/07/20 16:01, james wrote:
>> (2) DNS resolvers, (?) mail-servers for a robust mail system that "I"
>> admin, and (1) internet facing web server and (1) internal only facing
>> or limited outward facing Web server for development and security based
>> testing. Static IP are basically $5/month from my ISP.
> 
> Do you really want to pay for a static IP? I'd go IPv6 instead.
> 
> I learnt my v4 in the days of 10-base-2, and I'd really love to update
> to punching holes in a v6 router. Limited risk, and no worries about
> static IPs, NATing, all that legacy stuff ... :-)
> 
> Cheers,
> Wol
> 


So, IPv6 can be assigned without payment to an ISP? Besides having 
static IPs without bandwidth connections routed (assigned) to those IP6 
addresses are not useful?


If I go IPv6, where does the bandwidth come from?

confused,
James

Re: [gentoo-user] Local mail server

[Wols Lists]

On 29/07/20 00:11, james wrote:
> On 7/28/20 12:10 PM, Wols Lists wrote:
>> On 28/07/20 16:01, james wrote:
>>> (2) DNS resolvers, (?) mail-servers for a robust mail system that "I"
>>> admin, and (1) internet facing web server and (1) internal only facing
>>> or limited outward facing Web server for development and security based
>>> testing. Static IP are basically $5/month from my ISP.
>>
>> Do you really want to pay for a static IP? I'd go IPv6 instead.
>>
>> I learnt my v4 in the days of 10-base-2, and I'd really love to update
>> to punching holes in a v6 router. Limited risk, and no worries about
>> static IPs, NATing, all that legacy stuff ... :-)
>>
>> Cheers,
>> Wol
>>
> 
> 
> So, IPv6 can be assigned without payment to an ISP? Besides having
> static IPs without bandwidth connections routed (assigned) to those IP6
> addresses are not useful?
> 
> 
> If I go IPv6, where does the bandwidth come from?
> 
From your ISP?

The OP's ISP charges EXTRA for a static address, which shouldn't be the
case seeing as they have oodles of the things. Or maybe I'm out-of-date,
seeing as my ISP in the old days provided a static IPv4 free of charge
as a matter of course.

Cheers,
Wol

Re: [gentoo-user] Local mail server

[james]

On 7/29/20 5:20 AM, Wols Lists wrote:
> On 29/07/20 00:11, james wrote:
>> On 7/28/20 12:10 PM, Wols Lists wrote:
>>> On 28/07/20 16:01, james wrote:
>>>> (2) DNS resolvers, (?) mail-servers for a robust mail system that "I"
>>>> admin, and (1) internet facing web server and (1) internal only facing
>>>> or limited outward facing Web server for development and security based
>>>> testing. Static IP are basically $5/month from my ISP.
>>>
>>> Do you really want to pay for a static IP? I'd go IPv6 instead.
>>>
>>> I learnt my v4 in the days of 10-base-2, and I'd really love to update
>>> to punching holes in a v6 router. Limited risk, and no worries about
>>> static IPs, NATing, all that legacy stuff ... :-)
>>>
>>> Cheers,
>>> Wol
>>>
>>
>>
>> So, IPv6 can be assigned without payment to an ISP? Besides having
>> static IPs without bandwidth connections routed (assigned) to those IP6
>> addresses are not useful?
>>
>>
>> If I go IPv6, where does the bandwidth come from?
>>
>>From your ISP?
> 
> The OP's ISP charges EXTRA for a static address, which shouldn't be the
> case seeing as they have oodles of the things. Or maybe I'm out-of-date,
> seeing as my ISP in the old days provided a static IPv4 free of charge
> as a matter of course.
> 
> Cheers,
> Wol

Here is the US, too few regulators even comprehend your  arguments or 
the state of commercial routing and networking. If ordinary folks can 
get their porn in a web browser, robustly, then it is classified as a 
'great ISP'.

What folk, with some measure of expertise, have, can and want to do, is 
often only comprehensible by third level support as these ISPs, if you 
get lucky. Free static IPs? Sure I like that idea, but I'd need a 
current link as in the US I think that was some years ago. I'll file for 
some, in a heartbeat, if anyone can point me to the registrar. Note:: 
here in the US, it may be easier and better, to just purchase  an 
assignment, that renders them yours. I'd be shocked if you do not have 
to pay somebody residual fees, just like DNS.

So sense there seems to be interest from several folks,
I'm all interested in how to do this, US centric. I think each country 
sets policy on IP allocations from their (IP6) pool. A dozen or (2) 
pools, so I can test IoT gear, would be keen for my interests. For IoT, 
on aerial vehicles, the restrictions extreme, if you believe what has 
been published.

Very, Very interested in this thread.

Another quesiton. If you have (2) blocks of IP6 address,
can you use BGP4 (RFC 1771, 4271, 4632, 5678,5936 6198 etc ) and other 
RFC based standards  to manage routing and such multipath needs? Who 
enforces what carriers do with networking. Here in the US, I'm pretty 
sure it's just up to the the 
Carrier/ISP/bypass_Carrier/backhaul-transport company)....

Conglomerates with IP resources, pretty much do what they want, and they 
are killing the standards based networking. If I'm incorrect, please 
educated me, as I have not kept up in this space, since selling my ISP 
more than (2) decades ago. The trump-china disputes are only 
accelerating open standards for communications systems, including all 
things TCP/IP.

curiously,
James

Re: [gentoo-user] Local mail server

[antlists]

On 30/07/2020 00:23, james wrote:
> Very, Very interested in this thread.
> 
> Another quesiton. If you have (2) blocks of IP6 address,
> can you use BGP4 (RFC 1771, 4271, 4632, 5678,5936 6198 etc ) and other 
> RFC based standards  to manage routing and such multipath needs? Who 
> enforces what carriers do with networking. Here in the US, I'm pretty 
> sure it's just up to the the 
> Carrier/ISP/bypass_Carrier/backhaul-transport company)....
> 
> Conglomerates with IP resources, pretty much do what they want, and they 
> are killing the standards based networking. If I'm incorrect, please 
> educated me, as I have not kept up in this space, since selling my ISP 
> more than (2) decades ago. The trump-china disputes are only 
> accelerating open standards for communications systems, including all 
> things TCP/IP.

 From what little I understand, IPv6 *enforces* CIDR. So, of the 64 
network bits, maybe the first 16 bits are allocated to each high level 
allocator eg RIPE, ARIN etc. An ISP will then be allocated the next 16 
bits, giving them a 32-bit address space to allocate to their customers 
- each ISP will have an address space the size of IPv4?!

Each customer is then given one of these 64-bit address spaces for their 
local network. So routing tables suddenly become extremely simple - 
eactly the way IPv4 was intended to be.

This may then mean that dynDNS is part of (needs to be) the IPv6 spec, 
because every time a client roams between networks, its IPv6 address HAS 
to change.

I need to research more :-)

Cheers,
Wol

Re: [gentoo-user] Local mail server

[Remco Rijnders]

On Thu, Jul 30, 2020 at 10:05:46AM +0100, antlists wrote in 
<b11e9eef-08e5-7e2a-ff35-2a118dbb8328@youngman.org.uk>:
>From what little I understand, IPv6 *enforces* CIDR. So, of the 64 
>network bits, maybe the first 16 bits are allocated to each high level 
>allocator eg RIPE, ARIN etc. An ISP will then be allocated the next 16 
>bits, giving them a 32-bit address space to allocate to their 
>customers - each ISP will have an address space the size of IPv4?!
>
>Each customer is then given one of these 64-bit address spaces for 
>their local network. So routing tables suddenly become extremely 
>simple - eactly the way IPv4 was intended to be.

An IPv6 address is 128 bits in length. Usually an ISP allocates 64
bits to a single customer, allowing the systems on/behind that
connection to automatically assign themselves an address based on
their MAC address for example. Note that also allocations bigger than
64 bits are common so customers get 70 or 76 bits to use and can use
multiple subnets on their home/business networks.

Point is though, with IPv6 addresses are no longer a scarce
commodity. The cost to an ISP to give you one IPv6 address (/128) is
just the same as given you enough room for your own IPv4 internet
(/64). Whether they make them static or dynamic depends on their
policy and what their customers are willing to put up with / pay for.

Re: [gentoo-user] Local mail server

[Remco Rijnders]

>Point is though, with IPv6 addresses are no longer a scarce
>commodity. The cost to an ISP to give you one IPv6 address (/128) is
>just the same as given you enough room for your own IPv4 internet
>(/64).

Oops, brain freeze. A /64 gives you enough room for an IPv4 internet
of IPv4 networks as IPv4 is just 32 bits.

Re: [gentoo-user] Local mail server

[antlists]

On 30/07/2020 12:13, Remco Rijnders wrote:
> An IPv6 address is 128 bits in length. Usually an ISP allocates 64
> bits to a single customer, allowing the systems on/behind that
> connection to automatically assign themselves an address based on
> their MAC address for example. Note that also allocations bigger than
> 64 bits are common so customers get 70 or 76 bits to use and can use
> multiple subnets on their home/business networks.

I don't think an ISP is supposed to allocate less ...

As I understood it, the first 64 bits are the "network address", ie 
sort-of assigned to the edge router, and the remaining 64 bits are 
assigned by the network operator.

So in your scenario of customers getting more bits, they are effectively 
being assigned 2^6 or 2^12 network addresses. Exactly the scenario 
planned for high-level ISPs parcelling out address space to low-level ISPs.

And looking at the wikipedia page, it looks like the ISP *must* allocate 
at least a /64, because the spec says each device allocates itself a 
least-significant-64 address at random using a collision-detect 
protocol. Which is why many simplistic algorithms include the MAC 
address to (try to) guarantee a unique address on the first attempt.

Cheers,
Wol

Re: [gentoo-user] Local mail server

[Remco Rijnders]

On Thu, Jul 30, 2020 at 01:48:05PM +0100, antlists wrote in 
<f143bfa0-f0c9-c0da-d160-91183a41a4d3@youngman.org.uk>:
>I don't think an ISP is supposed to allocate less ...

I think your original message was open for multiple interpretations,
or at least I read it as you saying there are 32 bit addresses the ISP
allocates from. I now see the alternate one and the one you probably
intended that there is 32 bits worth of /64's to hand out to
customers. I'm sorry for misunderstanding at first.

Yes, a mimimum of /64 is what is recommended (and needed to make
stateless auto configuration work on the customers end). Whether the
/64 you get allocated is dynamic or static, can still depend on the
ISP's practises and business model.

Cheers,

Remco

Re: [gentoo-user] Local mail server

[antlists]

On 30/07/2020 14:28, Remco Rijnders wrote:
> On Thu, Jul 30, 2020 at 01:48:05PM +0100, antlists wrote in 
> <f143bfa0-f0c9-c0da-d160-91183a41a4d3@youngman.org.uk>:
>> I don't think an ISP is supposed to allocate less ...
> 
> I think your original message was open for multiple interpretations,
> or at least I read it as you saying there are 32 bit addresses the ISP
> allocates from. I now see the alternate one and the one you probably
> intended that there is 32 bits worth of /64's to hand out to
> customers. I'm sorry for misunderstanding at first.
> 
> Yes, a mimimum of /64 is what is recommended (and needed to make
> stateless auto configuration work on the customers end). Whether the
> /64 you get allocated is dynamic or static, can still depend on the
> ISP's practises and business model.
> 
No problem. Many people aren't native English speakers (and I can get a 
little bit hot under the collar when Americans claim to speak English 
:-) so I have no problem with mis-understandings.

Besides English I speak three other languages ranging from "get by" to 
"struggling", so I well understand all the problems caused by implicit 
nuances, differences in grammar, different mind-sets etc :-)

Cheers,
Wol

Re: [gentoo-user] Local mail server

[Ralph Seichter]

* antlists@youngman.org.uk:

> An ISP will then be allocated the next 16 bits, giving them a 32-bit
> address space to allocate to their customers - each ISP will have an
> address space the size of IPv4?!

ISPs can ask for several address spaces, each of which had a much,
*much* larger address space than the whole of IPv4. My ISP (Deutsche
Telekom) assigns /56 Subnets to Home Routers. Given that an IPv6 address
encompasses 128 Bits, each household is thus provided with an address
space of 2^(128-56) Bits. The whole of IPv4 spans only 2^32 Bits.

Any halfway decent data center should, at least, hand out /64 Subnets
for each and every hardware server and VM, free of charge. With virtu-
alisation becoming mainstream, I'd prefer to have a /56 for the host
server, so I can assign /64 subnets to each VM.

A wider address space does not mean one makes use of every available
address, of course. It just makes routing that much simpler, and there
is no need for silly stuff like NAT.

-Ralph

Re: [gentoo-user] Local mail server

[Grant Taylor]

On 7/30/20 3:05 AM, antlists wrote:
> From what little I understand, IPv6 *enforces* CIDR.

Are you talking about the lack of defined classes of network; A, B, C, 
D, E?  Or are you talking about hierarchical routing?

There is no concept of a class of network in IPv6.

Hierarchical routing is a laudable goal, but it failed 15-20 years ago.

> Each customer is then given one of these 64-bit address spaces for their 
> local network. So routing tables suddenly become extremely simple - 
> eactly the way IPv4 was intended to be.

Except that things didn't work out that way.

Provider Independent addresses, multi-homing, and redundant routes mean 
that hierarchical routing failed 15-20 years ago.

Many providers try to address things so that hierarchical routing is a 
thing within their network.  But the reality of inter-networking between 
providers means that things aren't as neat and tidy as this on the Internet.

> This may then mean that dynDNS is part of (needs to be) the IPv6 spec, 
> because every time a client roams between networks, its IPv6 address HAS 
> to change.

Nope.

It's entirely possible to have clients roam between IPv6 (and IPv4) 
networks without (one of) it's address(es) changing.  Mobile IP.  VPNs. 
Tunnels.  BGP....

Sure, the connection to the network changes as it moves from network to 
network.  But this doesn't mean that the actual IP address that's used 
by the system to communicate with the world changes.

Take a look at IPv6 Provider Delegation.  At least as Comcast does it, 
means that you only have a link-local IPv6 address on the outside and a 
/56 on the inside of a network.  The world sees the globally routed IPv6 
network on the inside and doesn't give 2¢ what the outside link-net IPv6 
address is.  Comcast routes the /56 they delegate to you via the 
non-globally-routed IPv6 link-net IPv6 address.

There are multiple ways to keep the same IP while changing the 
connecting link.



-- 
Grant. . . .
unix || die

Re: [gentoo-user] Local mail server

[james]

On 7/31/20 12:38 PM, Grant Taylor wrote:
> On 7/30/20 3:05 AM, antlists wrote:
>> From what little I understand, IPv6 *enforces* CIDR.
> 
> Are you talking about the lack of defined classes of network; A, B, C, 
> D, E?? Or are you talking about hierarchical routing?
> 
> There is no concept of a class of network in IPv6.
> 
> Hierarchical routing is a laudable goal, but it failed 15-20 years ago.
> 
>> Each customer is then given one of these 64-bit address spaces for 
>> their local network. So routing tables suddenly become extremely 
>> simple - eactly the way IPv4 was intended to be.
> 
> Except that things didn't work out that way.
> 
> Provider Independent addresses, multi-homing, and redundant routes mean 
> that hierarchical routing failed 15-20 years ago.
> 
> Many providers try to address things so that hierarchical routing is a 
> thing within their network.? But the reality of inter-networking between 
> providers means that things aren't as neat and tidy as this on the 
> Internet.
> 
>> This may then mean that dynDNS is part of (needs to be) the IPv6 spec, 
>> because every time a client roams between networks, its IPv6 address 
>> HAS to change.
> 
> Nope.
> 
> It's entirely possible to have clients roam between IPv6 (and IPv4) 
> networks without (one of) it's address(es) changing.? Mobile IP.? VPNs. 
> Tunnels.? BGP....
> 
> Sure, the connection to the network changes as it moves from network to 
> network.? But this doesn't mean that the actual IP address that's used 
> by the system to communicate with the world changes.
> 
> Take a look at IPv6 Provider Delegation.? At least as Comcast does it, 
> means that you only have a link-local IPv6 address on the outside and a 
> /56 on the inside of a network.? The world sees the globally routed IPv6 
> network on the inside and doesn't give 2? what the outside link-net IPv6 
> address is.? Comcast routes the /56 they delegate to you via the 
> non-globally-routed IPv6 link-net IPv6 address.
> 
> There are multiple ways to keep the same IP while changing the 
> connecting link.

I'd like to start with a basic list/brief description of these, please?

James

Re: [gentoo-user] Local mail server

[Grant Taylor]

On 7/31/20 1:39 PM, james wrote:
> I'd like to start with a basic list/brief description of these, please?

They basically come down to two broad categories:
1)  Have the ""static IP bound to an additional network interface on the 
destination system and leverage routing to get from clients to it.
2)  Have the ""static IP bound to a remote system that forwards traffic 
to a different address on the local system.

Traffic frequently spans the network between the local system and the 
remote system through some sort of VPN.

Note:  VPNs can be encrypted or unencrypted.

I think one of the simpler things to do is to have something like a 
Raspberry Pi (a common, simple, inexpensive example) SSH to a Virtual 
Private Server somewhere on the Internet and use remote port forwarding.

    root@pi# ssh root@vps -R 203.0.113.23:25:127.0.0.1:25

Note:  I'm using root to simplify the example.  Apply security best 
practices.

This will allow port 25 on a VPS with a (true) static IP (configured in 
/etc/conf.d/net) to receive TCP connections and forward them to your 
local mail server completely independent of what IP your local Pi may 
connect to the Internet with.

Your MX record(s) resolve to the IP address of the VPS.  You can change 
local IPs or ISPs or even country as often as you like.

Another more complex method is to use a more traditional VPN; e.g. GRE 
tunnel, IPsec tunnel, SSH L2 / L3 tunnel, OpenVPN, WireGuard and IP 
forwarding on the VPS to route the TCP connections to the local mail server.

Things quickly get deep in minutia of what method you want to use and 
what you want to go over it.

I think the SSH remote port forwarding is an elegant technique.  It's 
relatively simple and it has the added advantage that when the 
connection is down the VPS will not establish a TCP connection (because 
ssh is not listening on the remotely forwarded port) thus remote 
connecting systems will fail hard / fast, thus it's more likely to be 
brought to a human's attention.



-- 
Grant. . . .
unix || die

Re: [gentoo-user] Local mail server

[Grant Taylor]

On 7/29/20 5:23 PM, james wrote:
> Free static IPs?

Sure.

Sign up with Hurricane Electric for an IPv6 in IPv4 tunnel and request 
that they route a /56 to you.  It's free.  #hazFun

> Note:: here in the US, it may be easier and better, to just purchase 
> an assignment, that renders them yours.

Simply paying someone for IPs doesn't "render them yours" per say.

> I'd be shocked if you do not have to pay somebody residual fees, 
> just like DNS.

It is highly dependent on what you consider to be "residual fees".

Does the circuit to connect you / your equipment to the Internet count?

What about the power to run said equipment?

Does infrastructure you already have and completely paying for mean that 
adding a new service (DNS) to it costs (more) money?

Yes, there is annual (however it works out) rental on the domain name. 
But you can easily host your own DNS if you have infrastructure to do so on.

My VPS provider offers no-additional-charge DNS services.  Does that 
mean that it's free?  I am paying them a monthly fee for other things. 
How you slice things can be quite tricky.

> So sense there seems to be interest from several folks,
> I'm all interested in how to do this, US centric.

I think the simplest and most expedient is to get a Hurricane Electric 
IPv6-in-IPv4 tunnel.

> Another quesiton. If you have (2) blocks of IP6 address,
> can you use BGP4 (RFC 1771, 4271, 4632, 5678,5936 6198 etc ) and other 
> RFC based standards  to manage routing and such multipath needs?

Conceptually?  Sure.

Minutia:  I don't recall at the moment if the same version of the BGP 
protocol handles both IPv4 and IPv6.  I think it does.  But I need more 
caffeine and to check things to say for certain.  Either way, I almost 
always see BGPv4 and BGPv6 neighbor sessions established independently.

There is a fair bit more that needs to be done to support multi-path in 
addition to having a prefix.

> Who enforces what carriers do with networking. Here 
> in the US, I'm pretty sure it's just up to the the 
> Carrier/ISP/bypass_Carrier/backhaul-transport company)....

Yep.

There is what any individual carrier will do and then there's what the 
consensus of the Internet will do.  You can often get carriers to do 
more things than the Internet in general will do.  Sometimes for a fee. 
Sometimes for free.  It is completely dependent on the carrier.

> Conglomerates with IP resources, pretty much do what they want, and they 
> are killing the standards based networking. If I'm incorrect, please 
> educated me, as I have not kept up in this space, since selling my ISP 
> more than (2) decades ago.

Please elaborate on what you think the industry / conglomerates are 
doing that is killing the standards based networking.

> The trump-china disputes are only accelerating open standards for 
> communications systems, including all things TCP/IP.

Please elaborate.



-- 
Grant. . . .
unix || die

Re: [gentoo-user] Local mail server

[james]

On 7/31/20 12:30 PM, Grant Taylor wrote:
> On 7/29/20 5:23 PM, james wrote:
>> Free static IPs?
> 
> Sure.
> 
> Sign up with Hurricane Electric for an IPv6 in IPv4 tunnel and request 
> that they route a /56 to you.? It's free.? #hazFun
> 

Great to know. I'll see what happens.
>> Note:: here in the US, it may be easier and better, to just purchase 
>> an assignment, that renders them yours.
> 
> Simply paying someone for IPs doesn't "render them yours" per say.
agreed.
> 
>> I'd be shocked if you do not have to pay somebody residual fees, just 
>> like DNS.
> 
> It is highly dependent on what you consider to be "residual fees".
> 
> Does the circuit to connect you / your equipment to the Internet count?

Usually, the circuit for connectivity and the other costs,  are bundled 
by the ISP/bandwidth-carrier. Sure it get's more complicated with 
bypass, dark-fiber, IEC, and a myriad of other vendor solutions.

> 
> What about the power to run said equipment?

Comm gear is usually low power, but if they assign you a rack or 
whatever, then the accounting can tag you with hundreds per month for 
Air Conditioning, transport, etc etc.  So I was not intending to go down 
that pathway of charges and fees.

> 
> Does infrastructure you already have and completely paying for mean that 
> adding a new service (DNS) to it costs (more) money?
> 
> Yes, there is annual (however it works out) rental on the domain name. 
> But you can easily host your own DNS if you have infrastructure to do so 
> on.

yep, at least (2) static IPs. Once running I'll find a similar bandwidth 
usage organization and swap DNS secondary services. Now days with all 
the issue wit CA  and others similar/related issues. that might get 
complicated. (2) static IPs for (2) dns primary resolvers should get me 
going.
> 
> My VPS provider offers no-additional-charge DNS services.? Does that 
> mean that it's free?? I am paying them a monthly fee for other things. 
> How you slice things can be quite tricky.

Yep yep yep.
> 
>> So sense there seems to be interest from several folks,
>> I'm all interested in how to do this, US centric.
> 
> I think the simplest and most expedient is to get a Hurricane Electric 
> IPv6-in-IPv4 tunnel.
> 
I agree, based on what you have shared.

>> Another quesiton. If you have (2) blocks of IP6 address,
>> can you use BGP4 (RFC 1771, 4271, 4632, 5678,5936 6198 etc ) and other 
>> RFC based standards? to manage routing and such multipath needs?
> 
> Conceptually?? Sure.
> 
> Minutia:? I don't recall at the moment if the same version of the BGP 
> protocol handles both IPv4 and IPv6.? I think it does.? But I need more 
> caffeine and to check things to say for certain.? Either way, I almost 
> always see BGPv4 and BGPv6 neighbor sessions established independently.
> 
> There is a fair bit more that needs to be done to support multi-path in 
> addition to having a prefix.

yep yep yep!

> 
>> Who enforces what carriers do with networking. Here in the US, I'm 
>> pretty sure it's just up to the the 
>> Carrier/ISP/bypass_Carrier/backhaul-transport company)....
> 
> Yep.
> 
> There is what any individual carrier will do and then there's what the 
> consensus of the Internet will do.? You can often get carriers to do 
> more things than the Internet in general will do.? Sometimes for a fee. 
> Sometimes for free.? It is completely dependent on the carrier.


Verizon killing its email services:

https://www.inquirer.com/philly/blogs/comcast-nation/Verizon-exiting-email-business.html

> 
>> Conglomerates with IP resources, pretty much do what they want, and 
>> they are killing the standards based networking. If I'm incorrect, 
>> please educated me, as I have not kept up in this space, since selling 
>> my ISP more than (2) decades ago.
> 

Well, it's probable not appropriate for me to "finger" specifics. But if 
you just learn about all the things some carriers are experimenting 
with, in the name of 5G, it is a wide variety experimentation, to put it 
mildly.

> Please elaborate on what you think the industry / conglomerates are 
> doing that is killing the standards based networking.
> 
>> The trump-china disputes are only accelerating open standards for 
>> communications systems, including all things TCP/IP.

> 
> Please elaborate.

Forking the internet into 1.China & pals  2. European Member states. 3. 
USA and allies.


"Some" folks would argue the mess with Certificate Authority (CA) 
provides an enormous venue for Nefarious activities. Some would say "the 
feds & company" would/are choosing  instability, rather than enforceable 
rules, which include the (US) federal authorities. Their default is 
"hack the planet", as long as we get backdoors and other forms of access 
to everything.

  However this list has many very smart readers. I'm not going too deep. 
I will say that every RF chipset is deeply comprised and it takes 
millions of dollars in gear to delineate that. Believe what you want.

But someone like you (Grant) could help guide and document a gentoo 
centric collective that provides for
email services, secure/limited web servers and a pair of embedded/DNS 
(primary) resolvers so we can keep email systems alive. With that 
baseline, folks with a need, can add what they want. That's what I'm 
trying to achieve. Common interest that eventually also leads to a very 
robust testing semantic. Web, Email, and DNS services is a very large 
effort, particular with robust and routine security testing.

There is another movement to put linux, source base, onto your "open" 
cell phone, but that's another thread for another day.  2 projects 
(gentoo centric) in estimation, destine to become robust and as 
critically important, as the Linux kernel itself.

Personally, I strongly dislike all of those replacement services, from 
megalopolis like Google, Facebook, Microsoft and others. ymmv.

  Thanks  for your insight and suggestions.

James

Re: [gentoo-user] Local mail server

[Grant Taylor]

On 7/31/20 12:01 PM, james wrote:
> yep, at least (2) static IPs.

You can actually get away with one static IP.  It's ill advised.  But it 
will function.

You can also have external 3rd party secondary DNS servers that pull 
from your (private) primary DNS server.  You might even be able to get 
this communications over a VPN if the secondary DNS server operator is 
cooperative.

> Once running I'll find a similar bandwidth usage organization and swap 
> DNS secondary services.

That's a nice idea.  But I've not bothered with that in about 18 years.

I have Linode DNS servers be secondaries for my domains and point the 
world at them.  I'm still in complete control of the domains via my 
personal primary DNS server.

Note:  I'm not offering reciprocal secondary DNS service.

This is trivial (for Linode) perk that I get by being a customer for 
other things.  I think a single < $5 / month VPS qualifies me.  (I don't 
remember if there is a lower tier VPS or not.)

> Now days with all the issue wit CA  and others similar/related 
> issues. that might get complicated.

Don't let those features blind you, especially if you don't want to use 
their features.  Also be mindful of ascribing credit them if they are 
simply front ending something like Let's Encrypt, which you can do on 
your own for free.

> (2) static IPs for (2) dns primary resolvers should get me going.

1 static IP somewhere will get you started.  ;-)

> Verizon killing its email services:
> 
> https://www.inquirer.com/philly/blogs/comcast-nation/Verizon-exiting-email-business.html 

I'm not at all surprised.

> Well, it's probable not appropriate for me to "finger" specifics. But if 
> you just learn about all the things some carriers are experimenting 
> with, in the name of 5G, it is a wide variety experimentation, to put it 
> mildly.

5G is just the latest in a long line of motivators that have caused 
providers to do questionable things.

> Forking the internet into 1.China & pals  2. European Member states. 3. 
> USA and allies.

I've not yet seen any indication that these Geo Political issues have 
influencing the technological standards that are used.  Sure, they are 
influencing who they are used with, and in some cases /not/ used with. 
But, thus far, the underlying technical standards have been the same.

> But someone like you (Grant) could help guide and document a gentoo 
> centric collective that provides for email services, secure/limited 
> web servers and a pair of embedded/DNS (primary) resolvers so we can 
> keep email systems alive.

A couple of things:

1)  Nothing about what I'm suggesting is Gentoo, or even Linux, 
specific.  The same methodologies can be used on other OSs.

2)  I don't think that email is going to die.  It certainly won't do it 
faster than Usenet has (not) done.  (Usenet is still alive and quite 
active.)

Yes, email is growing and changing.  But each and every one of us that 
thinks about running our own email server has a tiny bit of influence in 
that through our actions.

> Thanks  for your insight and suggestions.

You're welcome.  :-)



-- 
Grant. . . .
unix || die

[gentoo-user] Re: Local mail server

[Grant Edwards]

On 2020-07-31, Grant Taylor <gtaylor@gentoo.tnetconsulting.net> wrote:
> On 7/29/20 5:23 PM, james wrote:
>> Free static IPs?
>
> Sure.
>
> Sign up with Hurricane Electric for an IPv6 in IPv4 tunnel and request 
> that they route a /56 to you.  It's free.  #hazFun

If I had a week with nothing to do, I'd love to try to get something
like that working -- but, I assume you need a static IPv4 address.

--
Grant

Re: [gentoo-user] Re: Local mail server

[Grant Taylor]

On 7/31/20 1:54 PM, Grant Edwards wrote:
> If I had a week with nothing to do, I'd love to try to get something 
> like that working

You don't need a week.  You don't even need a day.  You can probably 
have a test tunnel working (on your computer) in less than an hour. 
Then maybe a few more hours to get it to work on your existing equipment 
(router) robustly and automatically on reboot.

I encourage you to spend that initial hour.  I think  you will find that 
will be time well spent.

Hurricane Electric does have something else that will take more time, 
maybe a few minutes a day over a month or so.  Their IPv6 training 
program (I last looked a number of years ago) is a good introduction to 
IPv6 in general.  Once you complete it, they'll even send you a shirt as 
a nice perk.

Note:  H.E. IPv6 training is independent and not required for their 
IPv6-in-IPv4 tunnel service.

> but, I assume you need a static IPv4 address.

Nope.  Not really.

You do need a predictable IPv4 address.  I'm using a H.E. tunnel on a 
sticky IP (DHCP with long lease and renewals) perfectly fine.

If your IP does change, you just need to update the tunnel or create a 
new one to replace the old one.  This is all manged through their web 
interface.



-- 
Grant. . . .
unix || die

Re: [gentoo-user] Re: Local mail server

[james]

On 8/1/20 2:45 PM, Grant Taylor wrote:
> On 7/31/20 1:54 PM, Grant Edwards wrote:
>> If I had a week with nothing to do, I'd love to try to get something 
>> like that working
> 
> You don't need a week.� You don't even need a day.� You can probably 
> have a test tunnel working (on your computer) in less than an hour. Then 
> maybe a few more hours to get it to work on your existing equipment 
> (router) robustly and automatically on reboot.
> 
> I encourage you to spend that initial hour.� I think� you will find that 
> will be time well spent.
> 
> Hurricane Electric does have something else that will take more time, 
> maybe a few minutes a day over a month or so.� Their IPv6 training 
> program (I last looked a number of years ago) is a good introduction to 
> IPv6 in general.� Once you complete it, they'll even send you a shirt as 
> a nice perk.
> 
> Note:� H.E. IPv6 training is independent and not required for their 
> IPv6-in-IPv4 tunnel service.
> 
>> but, I assume you need a static IPv4 address.
> 
> Nope.� Not really.
> 
> You do need a predictable IPv4 address.� I'm using a H.E. tunnel on a 
> sticky IP (DHCP with long lease and renewals) perfectly fine.
> 
> If your IP does change, you just need to update the tunnel or create a 
> new one to replace the old one.� This is all manged through their web 
> interface.
> 
> 
> 

Here is an short read on the acceptance and usage of IPv6:

https://ungleich.ch/u/blog/2020-the-year-of-ipv6/

So, yes I am working on using IPv6, with my RV/mobile-lab.

hth,
Jams

Re: [gentoo-user] Re: Local mail server

[Grant Taylor]

On 8/7/20 2:06 PM, james wrote:
> Here is an short read on the acceptance and usage of IPv6:
> 
> https://ungleich.ch/u/blog/2020-the-year-of-ipv6/
> 
> So, yes I am working on using IPv6, with my RV/mobile-lab.

I think that IPv6 is a good thing.

But I would be remis to not say that IPv6 is somewhat of a black sheep 
in the email administrators community.

You still effectively must have IPv4 connectivity to your email server, 
lest a non-trivial percentage of email fail to flow.

I also know of a number of email administrators that are specifically 
dragging their feet regarding IPv6 because there hasn't yet been 
critical mass use of IPv6 /for/ /email/.

In fact, some of the early IPv6 adopters for email are spammers.  So 
some administrators stim this tide by being exclusively IPv4.

I think dual stack for email servers is great.  (Deal with the spam.) 
But being exclusively IPv6 on an email server is going to be problematic.

I'm focusing on email servers because that's what this thread had 
largely been about.



-- 
Grant. . . .
unix || die

[gentoo-user] Local mail server

[Peter Humphrey]

Afternoon all,

I'd like to set up a little box to be a local mail server. It would receive 
mails from other machines on the LAN, and it would fetch POP3 mail from my ISP 
and IMAP mail from google mail. KMail on my workstation would then read the 
mails via IMAP. That's all. I might want to add a few extras later, such as 
receiving SMTP mail for a .me domain I own. My present total of emails is 
about 4000.

I used to have a working system on a box that's now deceased [1], but in 
replicating it I'm having difficulty threading my way through the mutually 
inconsistent Gentoo mail server docs, omitting the bits I don't need and 
interpreting the rest. Bits I don't need? Database backend, web-mail access, 
web admin tools, fancy multi-user authorisation, any other baroque complexity.

So I'm asking what systems other people use. I can't be unusual in what I 
want, so there must be lots of solutions out there somewhere. Would anyone 
like to offer me some advice?

1.  Yes, of course I did have backups, but in juggling the media I managed to 
lose them. A world of advice to others: don't grow old.  :)

-- 
Regards,
Peter.

Re: [gentoo-user] Local mail server

[antlists]

On 19/07/2020 15:18, Peter Humphrey wrote:
> So I'm asking what systems other people use. I can't be unusual in what I
> want, so there must be lots of solutions out there somewhere. Would anyone
> like to offer me some advice?

Doing my best to remember my setup ...

Running postfix as my mail server. I never managed to get it working to 
SEND email, so clients had to be configured to send straight to my ISP. 
Don't send to google - it rewrites the headers ...

Used fetchmail to download, until an upgrade/fix/something broke MySQL 
so all my virtual email addresses broke.

Use Courier-IMAP to provide access from clients to the mail store.

I *think* that's all, but I dunno how long my system has been running 
(it hasn't even been updated for a couple of years :-( and apart from 
that MySQL problem it's been running untouched pretty much from day 1.

Cheers,
Wol

Re: [gentoo-user] Local mail server

[Michael]

[-- Attachment #1: Type: text/plain, Size: 1093 bytes --]

On Sunday, 19 July 2020 16:48:29 BST antlists wrote:
> On 19/07/2020 15:18, Peter Humphrey wrote:
> > So I'm asking what systems other people use. I can't be unusual in what I
> > want, so there must be lots of solutions out there somewhere. Would anyone
> > like to offer me some advice?
> 
> Doing my best to remember my setup ...
> 
> Running postfix as my mail server. I never managed to get it working to
> SEND email, so clients had to be configured to send straight to my ISP.
> Don't send to google - it rewrites the headers ...
> 
> Used fetchmail to download, until an upgrade/fix/something broke MySQL
> so all my virtual email addresses broke.
> 
> Use Courier-IMAP to provide access from clients to the mail store.
> 
> I *think* that's all, but I dunno how long my system has been running
> (it hasn't even been updated for a couple of years :-( and apart from
> that MySQL problem it's been running untouched pretty much from day 1.
> 
> Cheers,
> Wol

Notwithstanding a recent security vulnerability net-mail/dovecot may be able 
to do all you want/need from a home mailserver.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Local mail server

[Steven Lembark]

Dovecot works well enough, catch is that it has some security
issues. My fix is to have it run on localhost and ssh tunnel 
local ports into 143 & 25 on the in-house server. At that point
postfix + dovecot work fine for me.


-- 
Steven Lembark
Workhorse Computing
lembark@wrkhors.com
+1 888 359 3508

Re: [gentoo-user] Local mail server

[Petric Frank]

[-- Attachment #1: Type: text/plain, Size: 559 bytes --]

Am Sonntag, 19. Juli 2020, 16:18:32 CEST schrieb Peter Humphrey:
> Afternoon all,
>
> I'd like to set up a little box to be a local mail server. It would receive
> mails from other machines on the LAN, and it would fetch POP3 mail from my
> ISP and IMAP mail from google mail.

For me this was a good starting point:
  https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server[1]

I placed a Gentoo VM for this on my Proxmox VM server doing the job.

regards
  Petric


--------
[1] https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server

[-- Attachment #2: Type: text/html, Size: 3113 bytes --]

Re: [gentoo-user] Local mail server

[Grant Taylor]

On 7/19/20 8:18 AM, Peter Humphrey wrote:
> Afternoon all,

Hi,

> I'd like to set up a little box to be a local mail server. It would 
> receive mails from other machines on the LAN, and it would fetch 
> POP3 mail from my ISP and IMAP mail from google mail. KMail on my 
> workstation would then read the mails via IMAP. That's all. I might 
> want to add a few extras later, such as receiving SMTP mail for a 
> .me domain I own. My present total of emails is about 4000.

That should be quite possible to do.

IMHO there's not much difference in an internal only and an externally 
accessible mail server as far as the software & configuration that's on 
said server.  The only real difference is what the world thinks of it.

> I used to have a working system on a box that's now deceased 
> [1], but in replicating it I'm having difficulty threading my 
> way through the mutually inconsistent Gentoo mail server docs, 
> omitting the bits I don't need and interpreting the rest. Bits I 
> don't need? Database backend, web-mail access, web admin tools, 
> fancy multi-user authorisation, any other baroque complexity.

There are a LOT of ways to do this.  You need to pick the program that 
you want to use for various functions:

  - SMTP: Sendmail (my preference), Postfix (quite popular), etc.
  - IMAP: Courier (my preference), Dovecot (quite popular), etc.
  - POP3: Courier, Dovecot (?), QPopper (?), etc.
  - LDA: Procmail (my preference), delivermail, etc.

Pick the programs that you want to run, possibly influenced by what they 
do and don't support to find an overlap that works.  E.g. Maildir used 
to be less well supported than it is today.

You have already indicated that you want to use fetchmail (or something 
like it).

> So I'm asking what systems other people use. I can't be unusual in what 
> I want, so there must be lots of solutions out there somewhere. Would 
> anyone like to offer me some advice?

I actually think it's more unusual to want to run an email server that 
doesn't receive email directly from the world vs one that does.  But 
whatever you want.

As others have alluded to, sending email may be tricky, but ultimately 
possible to do.  It will have a LOT to do with what domain name you use, 
and if you have your server smart host through something else.

> 1.  Yes, of course I did have backups, but in juggling the media I 
> managed to lose them. A world of advice to others: don't grow old.  :)

Oops!



-- 
Grant. . . .
unix || die

Re: [gentoo-user] Local mail server

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 830 bytes --]

On Sun, 19 Jul 2020 15:18:32 +0100, Peter Humphrey wrote:

> I used to have a working system on a box that's now deceased [1], but
> in replicating it I'm having difficulty threading my way through the
> mutually inconsistent Gentoo mail server docs, omitting the bits I
> don't need and interpreting the rest. Bits I don't need? Database
> backend, web-mail access, web admin tools, fancy multi-user
> authorisation, any other baroque complexity.

I use Postfix for SMTP, Dovecot for IMAP and getmail to fetch mail from a
POP3 account (other mail is delivered directory to Postfix).

I also use procmail for filtering - although if you already have this set
up in KMail, that should suffice - and dspam for spam filtering.


-- 
Neil Bothwick

Never ask a geek why, just nod your head and slowly back away
 

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Local mail server

[Peter Humphrey]

On Monday, 20 July 2020 12:33:50 BST Neil Bothwick wrote:

> I use Postfix for SMTP, Dovecot for IMAP and getmail to fetch mail from a
> POP3 account (other mail is delivered directory to Postfix).

That's what I want to use, except for fetchmail instead of getmail.

I'm taking the suggestions in this thread (thanks), and following the simple 
mail server guide [1]. I've made precisely two changes in main.cf: soft_bounce 
= yes, mynetworks_style = host. Everything else is left at its default.

Postfix starts okay, but when I 'telnet localhost 25' I get this in the log:

fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions, 
specify at least one working instance of: reject_unauth_destination, 
defer_unauth_destination, reject, defer, defer_if_permit or 
check_relay_domains

Which of those restrictions do I specify, and where, and why aren't they set 
by default?

> I also use procmail for filtering - although if you already have this set
> up in KMail, that should suffice - and dspam for spam filtering.

Yes, KMail is fine for this, with spamassassin.

1.  https://wiki.gentoo.org/wiki/Postfix

-- 
Regards,
Peter.

Re: [gentoo-user] Local mail server

[antlists]

On 20/07/2020 15:55, Peter Humphrey wrote:
> fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions,
> specify at least one working instance of: reject_unauth_destination,
> defer_unauth_destination, reject, defer, defer_if_permit or
> check_relay_domains
> 
> Which of those restrictions do I specify, and where, and why aren't they set
> by default?

I'm guessing that's because it needs to know what to do with an email ...

The language is odd, but I suspect it's saying "do I relay this message 
and if so how, or do I deliver and and if so how do I know where and to 
who?"

None of these can be known by default...

Cheers,
Wol

Re: [gentoo-user] Local mail server

[Michael Orlitzky]

On 2020-07-20 12:39, antlists wrote:
> On 20/07/2020 15:55, Peter Humphrey wrote:
>> fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions,
>> specify at least one working instance of: reject_unauth_destination,
>> defer_unauth_destination, reject, defer, defer_if_permit or
>> check_relay_domains
>>
>> Which of those restrictions do I specify, and where, and why aren't they set
>> by default?
> 

(I missed the original mail, so I'm replying here.)

If you don't specify one of those restrictions in one of those places,
your mail server is an open relay. Postfix doesn't let you do that.

One of them is set by default; smtpd_relay_restrictions end with
defer_unauth_destination on new installs.

Re: [gentoo-user] Local mail server

[Peter Humphrey]

On Monday, 20 July 2020 18:25:28 BST Michael Orlitzky wrote:
> On 2020-07-20 12:39, antlists wrote:
> > On 20/07/2020 15:55, Peter Humphrey wrote:
> >> fatal: in parameter smtpd_relay_restrictions or
> >> smtpd_recipient_restrictions, specify at least one working instance of:
> >> reject_unauth_destination, defer_unauth_destination, reject, defer,
> >> defer_if_permit or check_relay_domains
--->8
> If you don't specify one of those restrictions in one of those places,
> your mail server is an open relay. Postfix doesn't let you do that.
> 
> One of them is set by default; smtpd_relay_restrictions end with
> defer_unauth_destination on new installs.

That command doesn't appear in my main.cf.

I ended up adding the following to main.cf:

-------
# Allow connections from trusted networks only.
smtpd_client_restrictions = permit_mynetworks, reject

# Don't talk to mail systems that don't know their own hostname.
smtpd_helo_restrictions = reject_unknown_helo_hostname

# Don't accept mail from domains that don't exist.
smtpd_sender_restrictions = reject_unknown_sender_domain

smtpd_recipient_restrictions = permit_mynetworks,
    permit_sasl_authenticated,

smtpd_relay_restrictions = permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

# Block clients that speak too early.
smtpd_data_restrictions = reject_unauth_pipelining

-------

Those came from http://www.postfix.org/SMTPD_ACCESS_README.html.

I don't know what use the page https://wiki.gentoo.org/wiki/Postfix is: it 
hasn't helped me at all.

As usual, though, the kind people on this list certainly have! Thank you all.

-- 
Regards,
Peter.

Re: [gentoo-user] Local mail server

[William Kenworthy]

I have used "https://wiki.gentoo.org/wiki/Mailfiltering_Gateway/en" or
variations of for many years - currently on an lxc instance on a low
power arm server.  Handles 1-200 emails (including spam) a day with
potentially up to quite a few thousand.  I am using the configuration
without mysql etc.  My biggest maintenance on it is trying to keep the
permissions correct after upgrades etc., otherwise as the families mail
gateway its quite reliable.

BillK


On 19/7/20 10:18 pm, Peter Humphrey wrote:
> Afternoon all,
>
> I'd like to set up a little box to be a local mail server. It would receive 
> mails from other machines on the LAN, and it would fetch POP3 mail from my ISP 
> and IMAP mail from google mail. KMail on my workstation would then read the 
> mails via IMAP. That's all. I might want to add a few extras later, such as 
> receiving SMTP mail for a .me domain I own. My present total of emails is 
> about 4000.
>
> I used to have a working system on a box that's now deceased [1], but in 
> replicating it I'm having difficulty threading my way through the mutually 
> inconsistent Gentoo mail server docs, omitting the bits I don't need and 
> interpreting the rest. Bits I don't need? Database backend, web-mail access, 
> web admin tools, fancy multi-user authorisation, any other baroque complexity.
>
> So I'm asking what systems other people use. I can't be unusual in what I 
> want, so there must be lots of solutions out there somewhere. Would anyone 
> like to offer me some advice?
>
> 1.  Yes, of course I did have backups, but in juggling the media I managed to 
> lose them. A world of advice to others: don't grow old.  :)
>

Re: [gentoo-user] Local mail server

[Peter Humphrey]

On Sunday, 19 July 2020 15:18:32 BST I wrote:

<snipped>

I think I'm nearly there, but still one config problem eludes me.

The setup is fetchmail > postfix > dovecot.

Postfix is trying to deliver some mail (not all) to me@this-workstation instead 
of to its own machine, and I can't see why. I've tried a couple of relay-host 
settings, but then I just get "warning: relayhost configuration problem" in the 
log, so relay-host is now back to its default value.

Here's an excerpt from main.cf:

myhostname = serv.<my.local.domain>
mydomain = <my.local.domain>
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

I've tried omitting $mydomain from that last line, but it didn't help.

Can anyone see what I'm missing? (More of main.cf if needed.)

-- 
Regards,
Peter.

Re: [gentoo-user] Local mail server

[james]

On 7/25/20 8:09 AM, Peter Humphrey wrote:
> On Sunday, 19 July 2020 15:18:32 BST I wrote:
> 
> <snipped>
> 
> I think I'm nearly there, but still one config problem eludes me.
> 
> The setup is fetchmail > postfix > dovecot.
> 
> Postfix is trying to deliver some mail (not all) to me@this-workstation instead
> of to its own machine, and I can't see why. I've tried a couple of relay-host
> settings, but then I just get "warning: relayhost configuration problem" in the
> log, so relay-host is now back to its default value.
> 
> Here's an excerpt from main.cf:
> 
> myhostname = serv.<my.local.domain>
> mydomain = <my.local.domain>
> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
> 
> I've tried omitting $mydomain from that last line, but it didn't help.
> 
> Can anyone see what I'm missing? (More of main.cf if needed.)

Hello Peter,

I just ran across this document. I hope you find it relevant to your 
mail issues.


https://bridge.grumpy-troll.org/2020/07/small-mailserver-bcp/

Small Mailserver Best Current Practices


James

Re: [gentoo-user] Local mail server

[Peter Humphrey]

On Monday, 27 July 2020 22:10:59 BST james wrote:

> I just ran across this document. I hope you find it relevant to your
> mail issues.
> 
> https://bridge.grumpy-troll.org/2020/07/small-mailserver-bcp/
> 
> Small Mailserver Best Current Practices

Thank you James.

I seem to have fixed my problem by removing the specific addresses from 
mynetworks and setting mynetworkstyle = subnet.

That doesn't make sense to me, but hey-ho.

-- 
Regards,
Peter.

Re: [gentoo-user] Local mail server

[james]

On 7/28/20 4:23 AM, Peter Humphrey wrote:
> On Monday, 27 July 2020 22:10:59 BST james wrote:
> 
>> I just ran across this document. I hope you find it relevant to your
>> mail issues.
>>
>> https://bridge.grumpy-troll.org/2020/07/small-mailserver-bcp/
>>
>> Small Mailserver Best Current Practices
> 
> Thank you James.
> 
> I seem to have fixed my problem by removing the specific addresses from
> mynetworks and setting mynetworkstyle = subnet.
> 
> That doesn't make sense to me, but hey-ho.
> 


Good news.

But I'm still looking for that complete list of (gentoo ebuild) codes to 
run on top of 2-4 stems, for a small, but feature rich solution for

(2) DNS resolvers, (?) mail-servers for a robust mail system that "I" 
admin, and (1) internet facing web server and (1) internal only facing 
or limited outward facing Web server for development and security based 
testing. Static IP are basically $5/month from my ISP.

So this is a point of curiosity for you or anyone with such a setup; but 
only what they wish to reveal publically. A private disclosure, and 
howto is ok too,
and I'll respect your privacy of such detail.

Eventually, when the Rasp.Pi_4 can map or at least utilize 16G of ram, I 
want to move the entire operation to Rp4s.  Then I can have one setup 
stationary, and one mobile in my RV. The thought is the RF (pseudo) 
statics are dominate, unless I travel to an area in the US, that does 
not have connectivity for a mobile rig.

Anyone is encouraged, publically or privately, to make suggestions. 
Eventually, the choices and basic instruction should make it to a web 
page document.

If several folks go down this pathway, then the security and security 
testing semantics, to ensure it is robustly safe, could be well 
documents, via a group effort. So all can benefit and stay safe. Adding 
a secure version of Slack, to these stacks, would be pretty cool too.

After all, such a setup would be sweet, and allow for for travel and 
still be in charge of all of your resources.

Re: [gentoo-user] Local mail server

[Wols Lists]

On 28/07/20 16:01, james wrote:
> (2) DNS resolvers, (?) mail-servers for a robust mail system that "I"
> admin, and (1) internet facing web server and (1) internal only facing
> or limited outward facing Web server for development and security based
> testing. Static IP are basically $5/month from my ISP.

Do you really want to pay for a static IP? I'd go IPv6 instead.

I learnt my v4 in the days of 10-base-2, and I'd really love to update
to punching holes in a v6 router. Limited risk, and no worries about
static IPs, NATing, all that legacy stuff ... :-)

Cheers,
Wol

Re: [gentoo-user] Local mail server

[james]

On 7/28/20 12:05 PM, Wols Lists wrote:
> On 28/07/20 16:01, james wrote:
>> (2) DNS resolvers, (?) mail-servers for a robust mail system that "I"
>> admin, and (1) internet facing web server and (1) internal only facing
>> or limited outward facing Web server for development and security based
>> testing. Static IP are basically $5/month from my ISP.
> 
> Do you really want to pay for a static IP? I'd go IPv6 instead.
> 
> I learnt my v4 in the days of 10-base-2, and I'd really love to update
> to punching holes in a v6 router. Limited risk, and no worries about
> static IPs, NATing, all that legacy stuff ... :-)
> 
> Cheers,
> Wol
> 


It's the bandwidth provider's policy. Static IPs (4 or 6) requires a 
monthly fee. If you know a way around this, with full privileges one 
gets with static IP addresses, I'm all ears.....?

I do not want some limited/dysfunctional solution. I want/need the full 
ability of what static IPs addresses bring. (all ports open etc).

I am curious about your details via IPv6 and static (permanently 
assigned ) addresses.

James

Re: [gentoo-user] Local mail server

[Grant Taylor]

On 7/28/20 5:18 PM, james wrote:
> If you know a way around this, with full privileges one gets with static 
> IP addresses, I'm all ears.....?

A hack that I see used is to pick up a small VPS for a nominal monthly 
fee and establish a VPN to it.  Have it's IP (and ports) directed 
through the VPN to your local system.  You get just about everything, 
save for what's specifically needed for the VPN.



-- 
Grant. . . .
unix || die

Re: [gentoo-user] Local mail server

[Wols Lists]

On 29/07/20 00:18, james wrote:
> It's the bandwidth provider's policy. Static IPs (4 or 6) requires a
> monthly fee. If you know a way around this, with full privileges one
> gets with static IP addresses, I'm all ears.....?

????? I can understand a fee for a static IP4 - they've run out, after
all, and people are fighting over them ...

Don't ISPs get a 2^64 allocation of IP6 *network* addresses? They should
just allocate one to your router and that's that! Still, I wouldn't put
it past them to charge extra for what should be free.
> 
> I do not want some limited/dysfunctional solution. I want/need the full
> ability of what static IPs addresses bring. (all ports open etc).

That's not what a static IP brings, that's what a "globally known" IP
brings - if your router advertises its address to something like dyndns
every time it starts, you'll have the same result. Snag is, that's a
chargeable subscription, I believe.
> 
> I am curious about your details via IPv6 and static (permanently
> assigned ) addresses.

That's why I need to dig and investigate :-) My first ISP in the days of
dial-up allocated a static IP as a matter of course. Not only was it
useful to use, it suited them because customers could only use it on one
computer at a time otherwise routing got screwed up :-)

Then we went to broadband, and in effect it was static because the
modem/router was always on ...


It'll be interesting digging through all this. Just try and make sure
you use your router as a firewall. I think my router drops all incoming
connections BY DEFAULT. But I can open up any port I want, either to
re-route to an internal computer or just pass through to it.

My first investigations would be (1) how do I advertise my router's
network address on dyndns, and (2) once the outside world knows my IP,
how do I let stuff through my router/firewall.

Cheers,
Wol