In message <20230709223922.dd59afd9f...@ary.qy>, John Levine via mailop <mailop@mailop.org> writes
>A friend of mine wants to set up a mail server on a VPS and asked me what >he needs to do beyond the obvious setting up postfix and dovecot. Is there >a good summary somewhere? not that I know of -- arguably there should be one, but perhaps it will just encourage unwise activity. I am reminded of Usenet advice of not posting for the first six months and if you ask why that is good advice then add another six months... I recently reviewed an IETF draft on (de)centralisation which observed that running your own mail system, rather than using a centralised provider was far too hard. In discussions with Eliot Lear we ended up with a list of things you had to do: * configure and manage the MTA * arrange for a backup MTA * manage DNS MX, DKIM, DMARC and SPF records * manage reverse lookup records, including managing the uncertain chain of authority between the instance and the nearest SOA * manage certificates associated with TLS for SMTP and IMAP * manage DKIM certificate * manage one's upstream to address PBL issues * keep the MTA secure and free from DOS attack >I'm thinking of things like: > >- choose a provider that has decent mail behavior, e.g., not Digital Ocean > >- make sure the MTA's forward and reverse DNS match > >- set up an SPF record, probably "v=spf1 mx ~all" > >- set up DKIM signing for each domain you host, make the >DKIM domain match the From: domain > >= start slow and look at any bounces > >- maybe collect DMARC stats but for a small volume MTA, not very interesting ALSO back in 2011 (when the world was a little simpler perhaps) I worked on a M3AAWG BCP on this topic -- which eventually went nowhere ... the list then was (and I stress this was not sufficiently peer reviewed then to be authoritative, but it was written by some experts) * Use a static IPv4 address for your email system * Do not share this IPv4 address with user machines * Do not host your email system 'in the cloud' * Make sure that your IP address is not listed in the PBL * Provide an MX record * Provide meaningful and consistent reverse DNS * Your system should say HELO (or EHLO) with its hostname * Keep your software completely up-to-date * Ensure that only authorised users can send email through your system. * Limit outgoing email volumes * Accept reports of problems with your systems * Review the mail system logs on a regular basis * Be reliable (viz have at least 4 9s availability) * Don't be an open relay * Don't create backscatter * Maintain a good reputation -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
signature.asc
Description: PGP signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
