When I set up my last email server, I got a cheap TLD to flog it on the internet. I used a dot-site TLD that cost a buck. (Mind you I reject all those goofy TLDs on my actual server.) With example.site, you get to test out everything except dnssec.
The last place I would be looking for email server software is on github. Maintenance is far easier using a repo. My TLS is still at "may". I have three contacts I can't get to set up encryption. When Google forces encryption, I will do so. Signing your email with DKIM is more of a priority than authenticating incoming email, though both are important. If you don't sign with DKIM, you look spammy. I also do SPF. One reason you want to be be online rather than on a lan is there are websites that will test your server. http://dkimvalidator.com If you are setting this server up for a small number of users, consider using a stick shift rather than an automatic. That is I try to keep the attack surface as small as possible. I have no web access to the email programs. I do everything with command line via ssh. I'm guessing you will be using a VPS. I'm on Digital Ocean running Centos. But I assume this is a function of what country you reside in. Some sysadmins will assume if you are on a VPS, you are a spammed. ATT for example. They will whitelist your IP, but you need to ask. I got a lot of grief when I disparaged OVH, but I swear they are bullet proof hosting and I would avoid them. You really should go for SSD based VPS if you go that route it all. In benchmarks, Linode is usually a bit faster than Digital Ocean. I used this blog as a guide, but hacked it a bit for postfix 3. https://blog.iandreev.com/?p=1975 On my current server, I skipped amavisd-new because sometimes it stalls the mail queue. Nor do I run SpamAssassin. I'm happy just using RBLs. I'm running opendkim, openspf, and opendmarc. Original Message From: robac...@fastmail.us Sent: August 14, 2018 8:06 PM To: postfix-users@postfix.org Subject: New to Postfix. 3 questions about security functions. Hello, I'm starting the process of moving my mail from a hosted service to my own. It'll include a Postfix server. I got a test server running locally and 'sending & receiving' mail inside my lan. Now I'm doing my reading on security issues, authentication, and the like. I've got stacks of articles and notes. I'm looking for any advice from opinionated, experienced Postfix users. Couple of production questions: (1) For opensource authentication milters (DKIM, DMARC, ARC), that works with Postfix on Linux, there seem to be two main choices: https://github.com/fastmail/authentication_milter https://github.com/trusteddomainproject/ What do folks here recommend to use? (2) Is it time -- in the real-world -- to force STARTTLS yet? What's the current advice for MTA-STS vs MTA-DANE? Which should we implement? (3) The TLS 1.3 has been officially released. I guess there will be a release of OpenSSL 1.1.1 that has it coming pretty soon. What if anything should we be doing with Postfix and TLS 1.3? I'm guessing it will be ABLE to use it. But I don't want to make the mistake of turning it on just to be current, if I then make it impossible to communicate with my servers. Thanks. Rob Arlenn
