Hello all, I'm getting ready to set up a mail server, and I have a few questions that I was hoping people would have opinions on. Right now I have a box that collects my mail with fetchmail, and then allows other boxes on the LAN to collect from it via qpopper. All direct outside access is blocked, first with iptables, and then with both tcpwrap and qpopper itself.
Now I find myself in the position of changing the setup, so that it is a real internet-facing mail server. It will act as the MX for my domain, using exim, and will distribute the mail to people, either still with qpopper or with an IMAP server (haven't decided yet). There are several questions I have at this point: I would like to add user accounts, so that exim and qpopper (or IMAP) accept and deliver mail for them, but not allow these users shell access. Is changing their shell to /bin/false enough, or is there a smarter way (or one that is not quite so manual?) Many of these user accounts will no doubt be sending and receiving email from dial-up accounts, which limits the ability to deny service on a per-IP basis. Suggestions for security, with pointers, please? I already plan on SSL, I'm asking I guess more about open relay issues in this sort of setup. Also, these user accounts will not be dialing into an ISP that I control, but I may wish to allow them to use me as a smarthost - does this seem foolish? I am undecided. Anything you think I'm leaving out? I've done a lot of googling and RTFM'ing recently, but I haven't found a really good guide to practical security considerations for a mail host - if someone has a good link it would be appreciated. Last question, I swear (for now at least (^8 ) - should I register my SSL cert through Verisign, which (although I haven't yet researched it, is I assume not free, or can I safely just generate my own? Again, pointers appreciated. TIA, all, Steve -- Overdrawn? But I still have checks left!
pgpgj6Tqf3Upa.pgp
Description: PGP signature
