On Sat, Feb 15, 2020, 1:55 PM Bob Proulx, <b...@proulx.com> wrote: > Ian Evans wrote: > > Just looking for a pointer to a recommended tutorial on setting up > Postfix > > as a send only service to be able to send alert emails from a home server > > like smartmontools drive warnings etc. > > The problem won't be finding one. The problem will be finding less > than several dozen. And selecting a "good" one from the collection. > > > I have seen several tutorials that touch on this, but the part I'm not > > clear on is the FQDN setting. It's home server so it doesn't have a > public > > domain name. > > If everything is completely private on a local area network then one > can generate any random thing. But since you are wanting to interact > on the global public Internet wide area network then you must use an > existing valid domain name. > > > If my dynamic DNS provider reaches my home server at > > myhome.example.com, would that be the FQDN? > > I suggest yes. Since the dynamic dns provider "example.com" is a > valid domain name and they are providing you with the valid FQDN name > of "myhome.example.com" then yes that would be okay to use that name > as your FQDN in this case. I say suggest because there are many ways > to do things and this is simply one possible way. > > However there are limitations. I will avoid trying to describe all of > the possibilities. But just note that things stretch to a certain > extent. If stretched too far then anything breaks. But in exactly > the above case you are talking about this will work. > > I am going to suggest something different. You have a web site and it > has a domain name. Or you will have your own domain name for many > reasons. You might want to use one of those. So *either* the dynamic > dns provider name as above *or* use a name from a domain you own. In > either case relay through your Internet server. > > > If this makes it easier, I do have a fully functional Postfix mail server > > on my website server. Is there a way for the home server to send its > alert > > emails via the business server? Or should the home send-only Postfix send > > through Gmail somehow? > > Using your website server solves a very important problem. The > problem of needing either 1) a static IP address assignment of an IP > address that is not going to be blocked by the receiving end for being > in a dynamic address space or being in a blocked IP space And/Or 2) > needing to control both systems on the ends of the network connection > so that the remote client can authenticate and authorize the sending > of email from a dynamic IP address to the server. Therefore if it > were me in your position I would use your website server to receive > the email connection from your home client. And then have the website > server send the mail to Gmail or wherever. (Google may still be a > problem for robustly accepting the email. They often are. But can > only start somewhere and then cross each bridge problem as you come to > them.) > > Your myhome.example.com client will not be able to send to Google's > Gmail or practically anywhere else because it will have a dynamic IP > assignment. As a practical matter almost every mail service blocks > mail from dynamic IP address assignments. To block hostile agents > abusing the network from virus infected systems and other compromised > devices. Soo... Don't even try it. It will just be an exercise in > frustration for you. > > Your business server website will have a static IP assignment. That > will allow it to send email to other systems on the Internet such as > Google's Gmail. It can operate as your mail relay. It can be > configured to authorize mail from your home dynamic IP client and your > home dynamic IP client can be configured to authenticate to it. > > With your dynamic IP home client authenticating to your website server > and your website server authorizing the email relay then automated > notifications from your home client can be sent to your Gmail > account. That will work. That is probably the best way for you to > configure your setup. > > Hopefully that clears up the problems you will face. With that > discussion in place the next question you SHOULD be asking is what is > the simplest and most robust way for you to set up the communication > connection between your home client and your Internet server in order > to authenticate your client and authorize the relay of mail through > the server? That is the much more interesting discussion to have > here. Because there are several possibilities with pros and cons to > the selection. SASL with shared private keys? Public keys using > certificates? Encrypted or non-encrypted connections? VPN? Several > good possibilities to choose from in just as many sentences. > > Personally for exactly the situation you are describing I think the > easiest and simplest is using a VPN. A VPN (virtual private network) > connects over the Internet my remote dynamic IP clients with my static > IP server. Then I configure Postfix to send the remote client email > over the VPN. The server allows local (vpn-local) network connections > (permit_mynetworks) and relays the mail. The authentication and > authorization is done by the VPN connection. All communication over > the VPN is fully encrypted. So for me that is one easy way to set > things up. And then the VPN is useful for other aspects of the > problem such as being able to connect out to the remote client over > the VPN too. Since the VPN is connecting to your Internet server this > allows you to use either the FQDN of the dynamic dns provider or to > use a FQDN of own domain name. Since the VPN is connecting your > systems. A good all purpose VPN suggestion would be OpenVPN but a > very simple and effective one might be 'sshuttle' or 'autossh' to set > up a tunnel. Three good possibilities in that one sentence. In > different places I have made good use of all three of those. Pros and > cons to each. > > The best solution for you is the one you understand the best. That is > the one you can manage the easiest. > > Sorry if one question begets quite a few more. But that is the nature > of these things! :-) > > Bob >
Egads. 😊 You're right. A million questions and not a "will have this project finished in half an hour." Will have to set aside a clearer weekend day. It's so easy for projects like, say, zoneminder to say "check this box to send alerts" without putting a giant asterisk next to it and suggesting you'll need to invest in a lot of coffee. Thanks for outlining possible solutions. I'll look into them soon. >
