Couple things - last one first… The static —> dynamic mapping…I would dig into what Wietse said earlier…VPN. If you merely want to have a static IP just act as basically a front-end for your local dynamic setup, then that’s the ticket…
As to the local errant could-tech imaging your HDD, totally agreed…but again, manageable via on-disk encryption… Regardless, I understand your concern\fears re: putting that much faith in a location\hardware\people you cannot directly touch\manage\talk-to…makes total sense but as I’m sure you’d agree, we all have our varying levels of comfort and thresholds… > On Jun 9, 2019, at 3:58 PM, Ronald F. Guilmette <r...@tristatelogic.com> > wrote: > > > In message > <0100016b3e41b455-b95a3601-7822-4541-823a-6230f277bf1b-000000@email. > amazonses.com>, Antonio Leding <t...@leding.net>wrote: > >> Security: >> >> With some VMs, you will have complete root-level rights on >> the server and can do what you wish in terms of server security. > > Yes. Quite. And believe me, I would -never- waste time on or trust in > even the smallest way any VM that I DID NOT have root on. > > I already do have one VM "slice", and yes, I do have root on that. > > Traditionally, through the past 30+ years, and until quite recently, I've > never placed -any- trust in any machine that I did not have immediate > phsysical proximity to. And even now, I still view remote cloud servers > with great skepticism, security-wise. The revelations, over that past > year or so, of the multiple entire *waves* of x86 CPU security flaws... > many of which still remain to be patched... have only underscored and > reinforced my original skepticism. Having root on a VM is hardly > insurance against anything, and wasn't, even before anyone even knew > about all of these CPU bugs. How the hell do I know who has access > to my storage volumes if they are in a data center a thousand miles > away from me, being tended by people who I have never even met? > > So I approach remote VMs very very cautiously, and unlike various > corporations that have jumped headlong onto the cloud bandwagon with > both feet, I personally put as little of my data as possible on such > things. And even then, you won't catch me putting anything on there that > would cause me real problems if the data were exposed to the entire > planet. > > Call me paranoid. Call me a luddite. But I sleep soundly at night. > >> I understand - and share - your concerns re: cloud-based mail security >> but those issues are manageable if proper infosec is implemented. > > I disagree, and I believe that I even have evidence to the contrary. > > Anybody working in that same data center, or who has either direct or > remote admin access to the whole thing can image your entire drive > anytime they want.... and perhaps without you even knowing that it > happened. We all hope that hosting company personnel won't go around > doing this, willy nilly, or in lieu of a court order, but there are no > guarrantees. > > Even though I may disagree with you about the security of cloud VMs, I'm > still very glad that you spoke up anyway, because you've made me think > a bit more about the problem I'm trying to solve, and I've just realized > that there may perhaps be a whole different way to skin this cat. > > The bottom line is that really, I just want a (another) remote VM *only* > (or primarily) for its static IP address... a static IP that's needed, > generally although not necessarily absolutely, in order to run a mail > server. > > Sooooooo... maybe what I really should be trying to figure out is how > I can run a -single- instance of Postfix, down here on my (soon to be > dynamic) end-luser broadband line, and just set up a VM at some fixed > IP address that will be running some sort of a VPN or something that > will just be, in effect, transparently proxying all of the inbound port > 25 traffic to my (soon to be dynamic) DSL line. > > Will this work? Is anybody doing this already? If so, how do I set it > all up? > > > Regards, > rfg
